8allC'~~ Hea It~ Awarr.

1Il I
'[fH'

IfilflwllnJ'iI'

lEn~Inc:errng

E:SS

u.s. DEIPAIRTM'ENT

HUMA N SERVICES Public ~eanh Sarvit-E Ce nlors for Dise;] SEJ C ontror and P 1iE1,,~ nhon Na1ional In Mitule (or oecu pa~iolialsa:re ty and I-l eallh
OF HEA lTM AND

coc
. "."-

n"'oJl~~ •. ~.

... t" ~ ~

~'~c,:::

~I.'I·.:;:;." rl...~~~:.H

SYSTEM SAFETY AND RISK MANAGEMENT A Guide for Engineering Educators

Authors
Pat L. Clemens, P.E., CSP Corporate Safety Manager Sverdrup Technology, Incoporated Tullahoma, Tennessee and Rodney J. Simmons, Ph.D., CSP Technical Director, Board of Certified Safety Professionals Savoy, Illinois and Adjunct Assistant Professor of Industrial Engineering Department of Mechanical, Industrial and Nuclear Engineering University of Cincinnati Cincinnati, Ohio

u.s. DEPARTMENT

OF HEALTH AND HUMAN SERVICES Public Health Service Centers for Disease Control and Prevention National Institute for Occupational Safety and Health Cincinnati, Ohio March 1998

ACKNOWLEDGMENTS
We wish to thank Professor Robert McClay, Indiana University of Pennsylvania, and Professors Robert Thomas, Tony Smith and Susan Hankins, Auburn University, for their review of this document. We also thank the following NationalInstitute for Occupational Safety and Health (NIOSH) personnel for their review of this document: Dr. Rebecca Giorcelli. The report was edited by Susan Feldmann.

This report was prepared in support ofNIOSH Project SHAPE (Safety and Health Awareness for Preventive Engineering).Project SHAPE is designed to enhance tbe education of engineers in tbe safety and health field.

DISCLAIMER
The opinions, fmdings and conclusions expressed are not necessarily those of the National Institute for Occupational Safety and Health, nor does mention of company names or products constitute endorsement by the National Institute for Occupational Safety and Health.

NIOSH Project Officer John Talty, P.E., DEE

NIOSH Order No. 96·37768

Inc. facilities. this This module is intended for instructors already acquainted with system safety. The material in this module has been delivered to more than 2. For each of the analytical techniques. It has also been delivered as an intensive three. iii . Risk has two components. These lecture slides and practice problems (supported by this module) are the result of insights gained while teaching system safety.000 senior and graduate level students at major universities in the United States and abroad. and government in the United States and other countries.ABSTRACT System safety provides many disciplined approaches to hazard identification and risk analysis. including classroom examples and workshop problems drawn from professional practice. Comments from these students and other instructors have guided the refmement of the lecture materials.to four-day short course for engineers and managers employed by business. The instructor may obtain these slides at the Sverdrup Technology. and the environment. both must be determined to assess risk. website (http://www.sverdrup. An important feature of this module is a collection of more than 400 presentation slides. severity and probability. industry. equipment. This module presents fifteen techniques from system safety practice.comlsvt). It is also suitable for instructors in occupational and environmental safety and health. and risk assessment for more than fifteen years to university students and practicing professionals. The authors welcome suggestions for improvement of the material. Instructors may incorporate individual lessons into existing engineering courses or use the entire module to form the basis of a one-quarter or one-semester class in risk assessment and system safety (perhaps entitled "hazard identification and risk assessment") open to students from any engineering major. the approach is to first walk the instructor though an explanation of the logic underlying the method. then to provide a demonstration example suitable to presentation in the classroom by the instructor. quality. production. The analytical techniques presented in module can be used to assess risk to employees. hazard identification. The authors have presented the material in an order that has been successful in the classroom.

. Limitations . . System Safety and the Design Function Final Words of Caution References and Suggested Readings Sample Discussion and Examination Questions .... .. . . . ... . . . . . . . . .. ..•. . . . . . . .. . . . . . . ... . . . . . . ... . . ... . . ... . . . . . . . . . . . References and Suggested Readings . .. . . . .... III-3 I1I-3 III-3 I1I-7 1II-8 1II-8 IJI-9 I1I-lO iv . References and Suggested Readings . . .. ... . .. . . . Advantages .. . . . . . . . . . . . . .. .. . . Special Terms . . . . . . . . . . Description .. Application . . . Objective.. . . . . .. .. . . . . .' . . . .. . . . . . . . . .. . . LESSON III-PRELIMINARY HAZARD ANALYSIS III-I Purpose. . . . .. .. .. ... . .CONTENTS Page Abstract . .. . . '. . . .. . . . . . . . . . . . .. . . . . . Objective. . . ... 111 LESSON I-SYSTEM SAFETY AND RISK MANAGEMENT: AN INTRODUCTION Purpose... . . . . . . .. . . . .. II-12 Purpose.. Application . . . . . . . . . . . .. .... ... Procedures . . . . .... . .. . .. . .. . . I-I 1-3 1-3 1-6 1-7 1-7 1-7 1-12 1-12 1-13 1-14 LESSON II-RISK ASSESSMENT MATRIX II-I II-3 II-4 II-4 II-8 II-I0 II-lO II-II . . .. Limitations . Special Terms What is System Safety? Development of System Safety Practice and Techniques: A Historical Overview Importance of Integrating the System Safety Program Throughout the Product/System/Facility Life Cycle Comparison of System Safety and the Traditional Approach to Safety Comparison of System Safety and Reliability Engineering Organization of the Module ... .. . . .. .. .. . . . Objective. . Sample Discussion and Examination Questions .. .. . . .. . . . . .. Advantages . ... .. .. . . . Example ... Special Terms . . Description . .. . . .. . .. . . . .. .. . .. Sample Discussion and Examination Questions .. .. .. . . . . . . . Procedures . .•. . .. . .. ... .... .. . . .•. .. . . .. .. Example . .

. . . . . . . .. EFFECTS. . . . . . . . .. .. . . ... Probability Determination .. . ... . VII-4 VIlA VII-IO VII-lO VII-lO VII-II VII-12 VII-12 VlI-6 v .. . .... . .... .. . . . . .. . ... . .... . .. . . . . . References and Suggested Readings Sample Discussion and Examination . . . .. . . . ... .. .•. ... . .. . . . . . . . . Objective. . . . .. .. . . . .. References and Suggested Readings . ... . .. AND CRITICALITY ANALYSIS Purpose. .. . . .' . . . .. . . . . .. Procedures .. Objective.LESSON IV-ENERGY FLOW/BARRIER ANALYSIS Purpose. . .. . . . IV-I IV-3 IV-3 IV-3 IV-4 IV-5 IV-6 IV-7 IV-8 LESSON V-FAILURE MODES AND EFFECTS ANALYSIS .. . . . Example Discussion and Examination Questions . ... .. . . . .. Objective. . . . . . .. . .. . . . . .... . . . ... . . VI-l Purpose.. . . . . . . . . .. .. .. . .. . . . . . .. . .... . . . ... .. . .. . . .. . ... . . . .. .. . . .. . .. .. . . Examples ····. . .. . . . Description .. . . ... . . . . .. . . . . .. . .. . .. . . . . ... Special Terms .. . . .. .. . . . . .. . ... . .. .. Application ... . . . . . . . . . . Description ..·· . . . .... . .. . ... .. . Identifying Path Sets . .. ... . . .. . .... . .. .. . . . .. . . .. . . . .. .. . . Procedures Exanrple Advantages Limitations .. . '" '" . . . . .. . .. . Objective.. . . . . . . . . . . . ... . . . . Determining Cut Sets .. .. . . . . .. . . . .. . . . ... Procedures . . . . . . . . .. .. . ...: I I LESSON VI-RELIABILITY BLOCK DIAGRAM . . . . .... .. . . .. . . ... . ... . . .. .. Fault Tree Construction and Probability Propagation . V-I V-3 V-3 V-3 V-8 V-IO V-12 V-13 V. . . . . ... . . .... .. . .. ... .. . ... . .. ... .. . . . ..... .. . . . . . .. . . . . Application . ... .. . . Example . . . Special Terms Description Application . ... .. . . Application '. . .. Assessing Cut Sets . . . . . . . . Advantages .. . ....... . . .. . Limitations .... Special Terms . .. . . ... . . . Questions . ... . . . Identifying Cut Sets ... .. Procedures Example '" '" Advantages Limitations . . . . . . . . . . . . . Fault Tree Generation . Special Terms Description . .. . References and Suggested Readings Sample Discussion and Examination Questions VI-3 VI-4 VI-S VI-S VI-6 VI-8 VI-9 VI-7 LESSON VII-FAULT TREE ANALYSIS VII-I VII-3 VII-3 Purpose. FAILURE MODES. . . .. . .. .. .. . .. . . .. .. . .. .. . . . . . . . .. . .

. . .. Reliability Block Diagram to FaultTree Transformation .. . . .. . . . . . . . .. IX-I IX-3 IX-4 IX-4 IX-5 IX-7 IX-7 IX-8 IX-9 LESSON X-FAULT TREE.. . . . . .. Advantages . . . . Limitations . . . . . Procedures . . . . . . Procedures .. . ' . . . . . . Advantages ... .. . . Application . . . Application . . . . . Special Terms . . .. .. ... Example . . . . .. . ... . . . . .. . . . . . . . . . . . . . . . . . .. . . . . ... . . . . Application . . . . .. . . . . . Sample Discussion and Examination Questions .. . .. . . Advantages . . .... . .. . . . . . .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . '. . . . . . . . Description . . . . . ... . . . References and Suggested Readings . Sample Discussion and Examination Questions . . .. .. . . . . . . . VII-l 2 VII-12 VII-14 VII-14 VII-16 VII-17 LESSON VllI-8UCCESS TREE ANALYSIS VIII-I VIII-3 VIII-3 VIII-3 VIIl-4 Purpose. . . . . " . .. . VIII-5 VIU-5 VIU-7 VIII-8 LESSON IX-EVENT TREE ANALYSIS Purpose. . . .. Special Terms .. . .. . .CutSets . . . . Objective. . . . . . RELIABILITY BLOCK DIAGRAM.. . . . .. . . . .. . . . . .. . . . . . .. . . . . . . .. . .. . . . .. . . . . .. .. . . . . . . .. .. . .. . ... .. . .. .. . . .. Objective. . . . References and Suggested Readings . . . . . . .. . .. .. .. . . . . References and Suggested Readings . Advantages . . . . . . . . . . . . . . . .. . .. Fault Tree to Reliability Block Diagram Transformation . .. . . . . .. .. . . . . .. .. . . . . . . . Limitations .. . . .. . ... . .. . . . . . . . . . . . Sample Discussion and Examination Questions . .. . . .. . . . . Objective. . . . . . .. . Description .. . . .. . . . . . . .. . . . . . . . 'Reliability Block Diagram and Fault Tree to Event Tree Transformation ... . .. . . . Event Tree to Reliability Block Diagram and Fault Tree Transformation . Procedures . . Special Terms .. .. . . . . . . . . .. .. . . . . . .. . . .. .. . . . AND EVENT TREE TRANSFORMATIONS Purpose. X-IO vi . .. . . . . . . . . . .. . . . . . . . . References and Suggested Readings . . . . . . . . . . .. . .. .. . . . .. Sample Discussion and Examination Questions . . . . Limitations . Path Sets . .. . Example . . . . . . . . . . . .•. . .. . .. . . . . .. Description . . .... . . . . . . . X-I X-3 X-3 X-3 X-3 X-3 X-5 X-5 X-6 X-8 X-8 X-9 Example : ' . . . . Limitations . . . . . . . . . . . . . . . .

... . . Procedures . . .. Application . XI-I XI-3 XI-4 XI-4 XI-6 XI-7 XI-7 XI-9 XI-IO Purpose. ... . ..... .. . . References and Suggested Readings .DIRECTED GRAPmC (DIGRAPH) MATRIX ANALYSIS XII-I XII-3 XII-3 XII-3 XII-5 XII-8 XIl-8 XII-9 XII-IO Purpose. . . . . . ... ..LESSON XI. . . . . ' Advantages . . . .. .. .. . ..CAUSE-CONSEQUENCE ANALYSIS . Objective........ ... Limitations . . . . . . . Sample Discussion and Examination Questions ... .. . References Sample Discussion and Examination Questions XIV-3 XIV-3 XIV-5 XIV-7 XIV-7 XIV-8 XVI-9 vii ... . .. . ... ... . . .. .. . .. .. .. . .. .... . '. . . XIV-I XIV-3 Purpose. Advantages ' ..... .. . ... ...... . .. ... .. . .. . . .... Limitations References and Suggested Readings . .. . . Example Advantages .. ..... Sample Discussion and Examination Questions ANALYSIS . MODELING .. . . . ... .. .. . .. .. .... References and Suggested Readings .. .. . . . .. ... Application Procedures :.. .. XIII-I XIII-3 XIII-3 XIII-3 XIII-4 XIII-6 XIII-6 XIII-7 XIII-8 LESSON XIV-FAILURE MODE INFORMATION . ... .. . . .. . . ....... ...•. ... . Procedures .. Sample Discussion and Examination Questions ... ... . ..... ........ .. . . . .. . . ..... . . ....... ...... Objective. .. ... ... . . .. . ... . . Objective. . . Example .. . LESSON XIII-COMBINATORIAL FAILURE PROBABILITY USING SUBJECTIVE INFORMATION Purpose. . . .. .. Example Advantages ' Limitations . .. .. . . LESSON XII. . . .. . .. .... . ... ........ .. Limitations .. . ... Description .. .. .. .. Special Terms Description . .. Application . . . . Special Terms... . . .. . . . .. . .. . ... PROPAGATION .. Objective.' . . .. •. . .. . .. . ... ... . ... . .. . . . . . . Application Procedures Example . .. . . . ' . . .. .. .. .. .... .. . . .. . .. ..... . . . ..... .. . Special Terms . . . ... . . . .. . . . .. .... . . . .. .. Description . Special Terms Description ... . . . .. .. . .. .. .. . . . " ~... ... .. . . ... . . "..

.. Objective. Special Terms . . . . . .... . . . . . . . . . .. . . ... . . . . . . . Description . . . . .. .. . .. .. .. . . .. . . . .. . . . . . .LESSON XV-PROBABILISTIC DESIGN ANALYSIS XV-l XV-3 XV-3 XV-3 XV-7 XV-7 XV-8 Purpose. . . . .. . . . . . .. . . . . . .. . .. . . ... . . . .. .. . . ... . .. . . . Advantages . .. . . XV-9 LESSON XVI-PROBABILISTIC RISK ASSESSMENT Purpose. . . ... . . . References and Suggested Readings .. . . . . . . .. . . . . .. . . ... . . . . . .. . . . . . . XVI-I XVI-3 XVI-4 XVI-4 XVI-5 XVI-5 XVI-6 XVI-7 APPENDICES A B C D E F Integrating System Safety in the Product Life Cycle Sample Worksheet for Preliminary Hazard Analysis Sample Worksheet for Failure Modes and Effects Analysis Sample Hazards Checklist Glossary of Terms Software Tools for System Safety Analysis viii . Application . . . . . . " . . . . . . .' . '.. . . Advantages . . . .. . . . . .. . Special Terms . .. . ... . .. . . . . . . . .. .. Description . . . . .. .. . . .. . . . .. . . . . .. . ... .. . Sample Discussion and Examination Questions . . . . Limitations . . .. Limitations .. ...'. . . . .' .... . ... . . .. . References and Suggested Readings . . . . . .. . . . . . . . . . . Procedures .. . . . . .. .. . .. . . . . .. . . . Procedures .. . . . . . .. . . . . ... .. . Application . . .. . . . . . . . Sample Discussion and Examination Questions ..... . . . ... . .. . .. . Objective. . . . . . . . .. . . . .. . ..... ..

~.
/

LIST OF TABLES

Table 1·1 1·2 1-3 1-4 IV·} VI·} VI·2 VII·} VII·2 VII·3 XI-1 XII-} XII-2 XIII-} XIV-! XVl-1

Title Description of system life cycle phases Characteristics of common system safety analytical techniques . . Advantages and limitations ofsystem safety tools and methodologies Symbolic logic techniques Examples of strategies to manage harmful energy flow Simple reliability block diagram construction Reliability bands for example system . . . . . . . . . . . . . . Fault tree analysis procedures Fault tree construction symbols Probability propagation expressions for logic gates Cause-consequence tree construction symbols Comparison of digraph and fault tree logic gates . . Construction of digraph adjacency matrix Combinatorial failure probability analysis subjective scale Symbology used in failure mode information propagation Examples of societal risks . . . . . . . . . . . . . . . . . . . . . . . . . . " .. . . . . . . .

Page

1-6 1-7 1-8 1-11
IV-5 VI-3 VI-6 VII-4 VII-5 VII-9 XI-5 XII-4 XII-5 XIII·4 XIV-4 XVI-3

ix

LIST OF FIGURES

\.....,,1
Figure II-I II-2 11-3 II-4 Title Riskplane Iso-risk contour usage Risk plane to risk matrix transformation o Helpful hints in creating a risk assessment matrix . . . . ... a. Useful conventions b. Don't create too many cells c. A void discontinuities d. Don't create too many zones Typicalrisk assessment matrix .... Severity and probability interpretations Preliminary hazard analysis process flowchart ., Typical preliminary hazard analysis Example of a system breakdown and numerical coding Failure modes, effects, (and criticality) analysis process flowchart .. Typical failure modes, effects, and criticality analysis worksheet Example of a failure modes, effects, and criticality analysis a. System b. System breakdown and coding ..... co Worksheet Typical complex reliability block diagram Example reliability block diagram Fault tree construction process Log average method of probability estimation .. Relationship between reliability and failure probability propagation . Failure probability propagation through OR and AND gates Exact solution of OR gate failure probability propagation Example fault tree . Example of determining cut sets Example of determining path sets Success tree construction process Example success tree Event tree (generic case) Event tree (Bernoulli model) , ,., Example event tree analysis , , Fault tree to reliability block diagram transformation Deriving cut and path sets from a reliability block diagram ,. Reliability block diagram to event tree transformation Reliability block diagram to fault tree transformation Event tree to fault tree transformation , , , Equivalent logic reliability block diagram and fault tree from event tree example a. Reliability block diagram based on event tree example b. Fault tree based on event tree example Relationship between cause and consequence Cause-consequence analysis format Example cause-consequence analysis Example digraph matrix analysis a. Success domain model
0 ••••• 0

Page .
0 ••• 0

.
0 •••

0

•••

0

••••

0

••••

0

••••••••••••••

0

•••

0

••••

0

0

•••••••••••••••••••••••

0

••••••••••••••••••

II-S
II-6 III-I III-2 V-I V-2 V-3 V-4

0

••••

0

••••

0

•••

0

0

•••

0

0

••••

0

••

;

•••

0

0

••••

0

•••••••••••••

0

.
0 ••••

. .
0 • 0

0

••••

0

••••••••••

0

•••••••••

0

••••

0

••••

0

••••••••••••

0

•••••••••••••••••••••••••••••

0

••

VI-l VI-2 VII-l VIJ-2 VII-3 VII-4 VII-S VII-6 VII-7 VII-8 VIII-I VIII-2 IX-l IX-2 IX-3 X-I X-2 X-3 X-4 X-5 X-6

0

••••••••••••••••

0

•••••••••••••••••••••••••••••••

0

••••••••••••••••••••••••••

0

••••

0

•••••

0

•••••••••

0

••••

.
0 ••••

0

•••••••••••••••••••

0

•••••••••••••••••••••••

.
0 •• • • • • •

0

••••••••••••••

0

••••••••••••••

0

0

••••••••••••••••••••••••••••••••

0

••••••••••••••

0

••••••••••••••••

.
0 •

.
0 ••••

.
0 •••

0

••••

0

••••

0

••••••••

II-3 II-4 II-5 II-6 11-6 11-6 II-7 1I-7 II-8 II-9 III-6 III-7 V-4 V-7 V-8 V-9 V-9 V-9 V-lO VI-4 VI-6 VII-6 VII-? VIl-8 VII-8 VII-9 VII-12 VU-13 VII-14 VIII-4 VIII-5 IX-3 IX-4 IX-6 X-3 X-4 X-4 X-5 X-6 X-7 X-7 X-7 XI-3 XI-6 XI-7 XII-6 XII-6

~

0

•••••••••••••••••••••••

0

•••

.
0 •

XI-l XI-2 XI-3 XII-l

. . .

0

•••••••••••••••••••

0

•••••

0

•••••••••

0

•••••••

x

XIII-l

XIV-I

XV-l XV-2 XVI-l

b. Failure domain model c. Adjacency matrix d. Adjacency elements e. Reachability matrix f. Reachability elements g. Summary matrix Example combinatorial failure probability analysis a. System schematic b. System fault tree Example failure mode information propagation model a. System schematic b. Model c. Minimal success sets Load and capability transfer function Interference between load and capability density functions Societal risks

. . . . . . . . . . . . . . . .

XII-6 XII-6 XII-6 XII-7 XII-7 XII-8 XIII-5 XIII-5 XIII-5 XIV-6 XIV-6· XIV-6 XIV-7 XV-5 XV-6 XVI-4

Xl

Definition of risk analysis 3. To acquaint the student with the following: 1. 4.LESSON I SYSTEM SAFETY AND RISK ASSESSMENT: AN INTRODUCTION PURPOSE: To introduce the student to the concepts and applications of system safety and risk assessment. Use of risk assessment in system/facility/product 1. 3. System safety Risk Life cycle Severity Probability Likelihood Target Resource Hazard OBJECTIVE: design SPECIAL TERMS: 2. Concept oflife cycle 4. 1-1 . 5. 6. 8. 7. Definition of system safety 2. 9.

1-2 .

(3) they enabled the selection of a final design from among various competing designs. safety can -and should. These two disciplines were used in the aerospace and nuclear weapons programs for several reasons: (1) schedule delays for these programs were costly (and perceived as a matter of national security). during these early days. most aircraft crashes were blamed on pilot error. and manager. facility. To attribute an aircraft crash to pilot error or an industrial accident to an unsafe act places very little intellectual burden on the investigator to delve into the design of the system with which the operator (pilot or worker) was forced to coexist. and (4) there was intense scrutiny on the part of the public and the funding agencies. the USAF adopted a concurrent engineering approach. DEVELOPMENT OF SYSTEM SAFETY PRACTICE AND TECHNIQUES: A HISTORICAL OVERVIEW System safety originated in the aircraft and aerospace industries. For example. in industry. Management decision-making must also support the multiple goals of the enterprise and protect all of its resources: human. engineer. and (2) it is a collection of analytical approaches with which to practice the doctrine. and the stockholders.. and when these subsystems were finally 1-3 . During the early 1950s. Systems engineering seeks to understand the integrated whole rather than merely the component parts of a system. Management must decide whether system risk is acceptable. Systems are analyzed to identify their hazards and those hazards are assessed as to their risks for a single reason: to support management decision-making. and reputation. Together. and at what cost. the public.in contrast. with an aim toward optimizing the system to meet multiple objectives. The practice of system safety has both art and science aspects. Because of the pressure to field these weapon systems as quickly as possible. equipment. Historically. accidents were most commonly blamed on an unsafe act. Management decision-making must balance the interests of all stakeholders: employees at all levels of the company. production capability. Thus safety was compartmentalized. Safety was not handled in a systematic manner. That is. no closedform solutions are available even to its most fundamental process-that of hazard discovery. It found application in U. customers. suppliers.S. This meant that the training of operations and maintenance personnel occurred simultaneously with the development of the missles and their launch facilities.be managed in the same manner as any other design or operational parameter.S. by when. financial. Remember that these weapon systems were far more complex than had ever been attempted and that many newly developed technologies were incorporated into these designs. When the USAF began developing intercontinental ballistic missiles (ICBMs) in the 1950s. there were no pilots to blame when the missiles blew up during testing. Systems engineering was developed shortly after World War II. Air Force (USAF). safety responsibility was assigned to each subsystem designer. Over the years. Instead. by whom. the RAND Corporation developed systems analysis methodology as an aid to economic and strategic decision making. then management must decide what is to be done. market position. is a science-based discipline whose fundamental principles rest solely on the physical laws of nature and on applying those laws to the solution of practical problems. nuclear weapons programs because of the complexity of these programs and the perceived costs (risks) of non-attainment of nuclear superiority. Mechanical engineering.WHAT IS SYSTEM SAFETY? System safety has two primary characteristics: (1) it is a doctrine of management practice that mandates that hazards be found and risks controlled. (2) the systems were complex. If that risk is not acceptable. System safety was first practiced by the U. Similarly. product quality. the distinction between systems engineering and systems analysis has blurred. and involved many contractors and subcontractors. inventory. they form the philosophical foundation for system safety.

Hazards associated with each system. design. interface problems were detected=. The system safety program objectives shall be specified in a formal plan which must describe an integrated effort within the total program . and operations. consistent with mission requirements. MIL-STD-882 stated: The contractor shall establish and maintain an effective system safety program that is planned and integrated into all phases of system development. In June 1969. [1] The investigations of these losses uncovered deficiencies in management. Minimum risk is involved in the acceptance and use of new materials and new production and testing techniques. Very suddenly.too late. e. is designed into the system. this specification became MIL-STD-882 (System Safety Program/or Systems and Associated Subsystems and Equipment: Requirements fori. contractual obligation. cost effective manner. production. The drive mechanism held it for all but the last five feet when gravity took over and the missile dropped back. subsystem and equipment are identified and evaluated and eliminated or controlled to an acceptable level. The system safety program objectives are to ensure that: a. issued in 1984. and operation. f. The system safety program shall provide a disciplined approach to methodically control safety aspects and evaluate the system's design: identify hazards and prescribe corrective action in a timely. System safety received increasing emphasis in weapon development programs during the 1960s because of limited opportunities for testing and the unacceptable consequences of potential accidents. when you were not firing in anger. and property. used to balance the silo elevator on the way up and down in the silo. The USAF describes one incident in a design manual: An ICBM silo was destroyed because the counterweights. The Minuteman ICBM (fielded in 1962) was the first weapon system to have a system safety program as a formal. issued by the Department of Defense (DoD). equipment. This realization led the USAF to adopt a system safety approach which had the goal of preventing accidents before their first occurrence. The first operation with a fueled missile was nearly successful. This standard was updated in 1977 as MIL-STD-882A. software requirements were included MIL-STD882B. The USAF realized that the traditional (reiterative) "fly-crash-fix-fly" approach could not produce acceptable results (because of cost and geopolitical ramifications). The USAF released its first system safety specification in 1966 (MIL-S-38130A). b. were designed with consideration only to raising a fueled missile to the surface for firing. The DoD incorporated a system safety program as part of its requirements for all procured systems and products. the40-foot diameter silo was altered to about 100-foot diameter. Retrofit actions required to improved safety are minimized through the timely inclusion of safety factors during the acquisition of a system.integrated. the USAF issued its own system safety 1-4 . you had to bring the fueled missile back down to defuel. d.. Control over hazards that cannot be eliminated is established to protect personnel. With the recognition that software was an integral part of modem systems. There was no consideration that. c. During this time period. The historical safety data generated by similar system programs are considered and used where appropriate... Safety.

. After several high-profile incidents in the chemical processing industry.requires identifying hazards in ''permit-required confmed spaces [containing] any . These two standards were harmonized into a single document in 1993.. Note that 1-5 . At General Motors. companies wishing to export industrial products (packaging machinery. System safety practice is required by a number of standards: • • 21 CFR 807.S.. IBM.s. retrofit. for example) to Europe must perform a hazard analysis as part of obtaining a "CE" mark." (a requirement of the Environmental Protection Agency) NASA NHB 1700. and labor to achieve safety objectives. whether measured in terms of the costs of modification. hazards . Vol. System safety provides the techniques to conduct the hazard analysis. methodologies to determine and evaluate . and environmental issues in the engineering curricula... the medical device industry (the Food and Drug Administration's requirements for Pre-Market Notification). Accordingly. and-ultimately-market share. The semi-conductor manufacturing industry uses many system safety analytical techniques during the design of production processes.. an active Design In Safety program requires cooperation between engineering. MIL-STD-882C. product quality.. One of the features of882C is that software tasks are no longer separated from other safety tasks. companies are realizing that waiting for accidents to occur and then identifying and eliminating their causes is simply too expensive. 3 . the National Safety Council (NSC) inaugurated an Institute for Safety Through Design (ISTD). The pioneering work embodied in MIL-STD-882 has been incorporated into system safetyoriented standards used in the chemical processing industry (OSHA's 29CFR1910. automobile industry...requires hazard analyses as a part of "pre-market notific ation" for medical devices (a requirement of the u. Food and Drug Administration) 29 CFR 1910.. equipment. the ISTD has as one of its goals the inclusion of health. hazards . recent collective bargaining agreements have included safety and health language that is in keeping with the system safety philosophy.requires applying "one or more . In 1994. safety.119 (e) (2) .87 (g) . liability.requires applying "one or more . or tarnished reputation." (a requirement of the Occupational Safety and Health Administration) 40 CFR 68 . lost market share. methodologies to determine and evaluate .standard. the American Institute of Chemical Engineers formed the Center for Chemical Process Safety (CCPS). which is required for industrial products entering Europe. recognized serious safety or health hazard. principally because the cost of "mistakes" is enormous in terms of production capability. " (a requirement of the Occupational Safety and Health Administration) 29 CFR 1910. The National Institute for Occupational Safety and Health has similar goals for engineering education with its project SHAPE (Safety and Health Awareness for Preventive Engineering). and others..119 and EPA's 40CFR68). and facilities.146 (b) (4) . and Boeing) provided funding for the ISTD because they realized that training recently hired engineering graduates to consider safety and health as part of the design process was very expensive.. Eastman Kodak. and environmental topics in the chemical engineering curriculum. safety. management. Members of the NSC's Industrial Division (including GM. In the U."System Safety" • • • U. The CCPS has published an extensive collection of handbooks and guides covering various aspects of chemical process safety and has also promoted the inclusion of health. MIL-STD-1574A (System Safety Standardfor Space and Military Systems). Beyond mere regulatory compliance.1.S...

IMPORTANCE OF INTEGRATING THE SYSTEM SAFETY PROGRAM THROUGHOUT THE PRODUCTI SYSTEM! FACILITY LIFE CYCLE The principal advantages of a system safety program--compared with a conventional or traditional industrial safety program-is that early in the design stage. The system mission and design requirements are established. "Well. TABLE 1-1 Description of system life cycle phases. and design feasibility studies and design trade studies are performed during this phase. test. The design and development phase of a project. but the real advantage is that the techniques can be used to detect hazards in the early part of the life cycle. is Project Phase B Project Phase C Project Phase D Thefabrication integration. the industrial safety practitioner is dealing with a manufacturing facility or process that already exists (together with its associated hazards). rather than adding it on to a completed design. we've been doing it like this for twenty years and never had any problem. the forward-looking system safety program considers the hazards that will be encountered during the entire life cycle. System development initiated and specifications are established during this phase. organizational inertia must be overcome if major changes are to be made in the design of the manufacturing system.efforts to include safety and health in the engineering curricula are rewarded. Often. Why should we change things?" The system safety techniques allow the analysis of hazards at any time during the life cycle of a system. Project Phase E Project Phase F 1-6 . The system is deployed and system performance is validated during this phase. a major aircraft manufacturing company reported that its engineering recruiters seek graduates who have taken system and occupational safety engineering courses as part of their course work. and evaluation phase ofa project. when problems are relatively inexpensive to correct. The decommissioning/disposal/recycle phase of a project. Most of the design decisions that have an impact on the hazards posed by a system must be made relatively early in the life cycle. The operations phase of a project. The system has come to the end of its useful life and is ready to be taken out of service. Quantitative andlor qualitative comparison of candidate concepts against key evaluation criteria are performed to determine the best alternative. Table 1-1 presents one scheme for describing the major phases of a system life cycle. The industrial safety program usually considers only the hazards that arise during the operational phases of the product or manufacturing system. less costly control or elimination of hazards. For example. System safety's early-on approach leads to more effective. Usually. rather than removing the hazards from the system. The system is manufactured and requirements verified during this phase. Project Phase A The conceptual trade studies phase of a project. The concept definition phase of a project. Management sometimes holds the view that. and emphasis is placed on training the employees to co-exist with the hazards inherent in the system. System safety stresses the importance of designing safety into the system.

a search for -and review ofrelevant standards may not uncover all of the potential hazards posed by the new technology. environment. product quality. a review of history will have little value to the designer./ Failure Modes and Effects Analysis Fault Tree Analysis Event Tree Analysis Cause-Conseq uence Analysis Sneak Circuit Analysis Probabilistic Risk Assessment . and equipment. and those that employ symbolic logic to produce a conceptual model of system behavior. System safety relies on analysis. It allows the analyst (and management) to gauge the impact of various hazards on potential "targets" or "resources./ Digraph Analysis Hazard and Operability Management (HAZOP) Study ./ 1-7 ./ . including human operators./ . The basis for system safety analysis is two-fold: recognizing system limits and risk. Many techniques described in the literature are simply derivatives of others. and what happens if the component meets (or doesn't meet) the specification?" Reliability focuses on the failure of a component. When designing a new product. and not solely on past experience and standards. Characteristics of common system safety analytical techniques Technique Preliminary Hazard Analysis Inductive Deductive . Reliability asks the question. The techniques can be classified into two groups: those that rely on a hazard inventory approach. "Does the component or system continue to meet its specification. system safety recognizes that not all hazards are attributable to failures and that all failures do not necessarily cause hazards. The next lesson begins with a definition of risk and the options for managing risk to an acceptable level. Some authors think of the inventory techniques as inductive and the modeling techniques as deductive. no information may be available concerning previous mishaps. As standards writing is a slow process relative to the development of new technology. The techniques tend to be complementary. The later lessons present system safety analysis tools that can be used to identify hazards and their associated risk." including workers. COMPARISON OF SYSTEM SAFETY AND RELIABILITY ENGINEERING ORGANIZATION OF THE MODULE Table 1-2. productivity. the public./ Oversight and Risk Tree (MORT) Analysis . and for how long?" System safety asks the broader question. Table 1-2 shows some of the characteristics of the major system safety analytical techniques. System safety also analyzes the interactions among the components in a system and between the system and its environment. System safety is broader than reliability.COMPARISON OF SYSTEM SAFETY AND THE TRADITIONAL APPROACH TO SAFETY System safety looks at a broader range of losses than is typically considered by the traditional industrial safety practitioner./ ./ . "Was the specification correct. facilities./ .

total calculated reliability may be unrealistically high.. Comprehensive trees may be very large and cumbersome.".. Can be extremely labor intensive. Lecture slides supporting many of the lessons and additional workshop problems are available to the instructor at http://www. The principal techniques are illustrated in this instructional module. Fails to identify certain classes of hazards.This module describes fifteen system safety and risk assessment tools available to the system engineer analyst. May identify unnecessary design elements..-. Preliminary Hazard Analysis HI Identifies and provides inventory of hazards and countermeasures. Table 1-3. e. and a hazards checklist. Does not address co-existing hazards. Enables assessment of probabilities of co-existing faults or failures. Comprehensive trees may be very large and cumbersome. Energy FlowlBarrier Analysis IV Does not address co-existing system failure modes. with an aim to controlling that risk to acceptable levels [3].1 1-8 . Failure Modes and Effects (and Criticality) Analysis V Thorough method of identifying single point failures and their consequences. A symbolic logic model that is relatively easy for the analyst to construct. Identifies hazards associated with energy sources and determines if barriers are adequate countermeasures. Table 1-3 summarizes the major advantages and limitations of each tool or methodology discussed in this module.sverdrup.. Disadvantages Only used to assess risk of hazards. System reliability can be derived. The Appendices include a glossary of terms. Reliability Block Diagram VI Component reliability estimates may not be readily available. Many analytical techniques support the identification of hazards and an assessment of their associated risk.. does not identify hazards.g. Addresses only one undesirable event or condition that must be foreseen by the analyst. Addresses only one desirable event or condition that must be foreseen by the analyst. given component reliability.com/svt. Advantages and Limitations of System Safety Tools and Methodologies Tool or Methodology RiskAssessment Matrix Lesson II Advantages Provides standard tool to assess risk subjectively. sample worksheets. . Does not address co-existing failure modes. Fault Tree Analysis VII Success Tree Analysis VIII Assesses probability of favorable outcome of system operation. A criticality analysis provides a risk assessment of these failure modes. asphyxia in oxygen-deficient confined spaces.

can help safeguard a systemin operation by providing a warning at the onset of a threatening failure mode. computer codes and resources to perform this technique may be limited.~. Combinatorial Failure Probability Analysis Using Subjective Information XIII Use of actual quantitative data is preferred to this method. and Event Tree Transformation X This technique offers no additional information and is only as good as the input model. Discrete levels of success and failure are distinguishable. Directed Graphic (Digraph) Matrix Analysis XII Trained analyst. Enables assessment of probabilities of co-existing faults or failures. 1-9 . if implemented. End events need not be anticipated. Allows analyst to perform qualitative probabilistic risk assessment based upon the exercise of subjective engineering judgment when no quantitative data is available. Accident sequences through a system can be identified.one initiating challenge that must be foreseen by the analyst. unless used in a comparative fashion. May be very subjective as to consequence severity. Cause-Consequence Analysis XI Addresses only. Minimal cut sets. Functions simultaneously in failure and success domains. Measurement requirements can be determined that.~ Tool or Methodology Event Tree Analysis Lesson IX Advantages Enables assessment of probabilities of co-existing faults or failures. may be poorly understood. Discrete levels of success and failure are not distinguishable. Allows the analyst to examine the fault propagation through several primary and support systems. Only identifies single point (singleton) and dual points (doubleton) offailure. Reliability Block Diagram. Fault Tree. Disadvantages Addresses only one initiating challenge that must be foreseen by the analyst. Allows the analyst to overcome weakness of one technique by transforming a model of a system into an equivalent logic model in another analysis technique. End events need not be anticipated. Failure Mode Information Propagation Modeling XIV This technique is only applicable if the system is operating in a near normal range during the instant of time just before initiation of a failure. and double point failures can be determined with less computer computation than fault tree analysis. . Should only be used when actual quantitative failure data is unavailable. Data and results. single point failures.

intolerable. the analyst can model either in the failure or success domain (or both domains).comlsvt).sverdrup. Techniques can be misapplied and results misinterpreted. Lecture slides entitled "Concepts of Risk Management" and "Working with the Risk Assessment Matrix" are available (http://www. then the model is generated in the success domain. The probability of a successful operation is the reliability. or the probability that a system or component will operate successfully. Lecture slides for FEMA and FMECA are available (http://www. That method might be flawed if significant experience and historical data for similar components are not available. but also addresses the criticality. then convert the final probabilities to the desired domain using the following expression: PF+ Ps = 1. This means the analyst starts by looking at the lowest level elements in the 1-10 . The FMECA is similar to the FMEA. Several symbolic logic methods are presented in this section. or risk. Lecture slides covering preliminary hazard analysis are available (http://www. Provides methodology to assess overall system risks. When using forward logic. subjective methodology to evaluate hazards as to their risks.sverdrup. The energy flowlbarrier analysis discussed in Lesson IV is also a technique used to identify hazards and evaluate their corresponding countermeasures.comlsvt).comlsvt). discussed in Lesson V. associated with each failure mode. such as the preliminary hazard analysis (PHA) technique discussed in Lesson III. These models are developed using forward (bottom-up) or backwards (top-down) logic. An accompanying set of lecture slides for energy flow/barrier analysis is available (http://www. effects. Once hazards are identified. The risk assessment matrix (Lesson II) supports a standard. and senseless risk.Tool or Methodology Probabilistic Design Analysis Lesson XV Advantages Allows the analyst a practical method of quantitatively and statistically estimating the reliability of a system during the design phase. These methods construct conceptual models of failure or success mechanisms within a system. the analyst builds the model by repeatedly asking" What happens when a given failure occurs?" The analyst views the system from a "bottom-up" perspective. If the failure probability (PF) is examined.comlsvt).sverdrup. can be used to identify failure modes and their consequences or effects. Also discussed in Lesson V is failure modes. These tools are also used to determine either the probability of system or component failure. avoids accepting unknown. The failure modes and effects analysis (FMEA). they can be further explored if the failure modes of the elements of the system are known. then the model is generated in the failure domain and if the probability of success (Ps) is examined. Historical population data used must be very close to as-planned design population to be viable. Extrapolation between populations can render technique non-viable. Provides alternative to the traditional method of imposing safety factors and margins to ensure system reliability. Disadvantages \~ Analyst must have significant experience in probability and statistical methods to apply this technique. The risk assessment matrix is used in conjunction with hazard analyses. Probabilistic Risk Assessment XVI Performing the techniques of this methodology requires skilled analysts.sverdrup. For convenience. The PHA can be used to identify hazards and to guide development of countermeasures to mitigate the risk posed by these hazards. and criticality analysis (FMECA).

e. presented as Lesson XI. This technique uses advanced statistical methods to determine probabilities of failure modes. for example.sverdrup. 1-11 ./ . Failure mode information propagation modeling is discussed in Lesson XIV. Event Tree Analysis" IX . This is a general methodology that shows how most of the techniques mentioned earlier can be used in conjunction to assess risk with severity and probability. Sometimes it is beneficial to construct a model using one technique then transform that model into the domain of another technique to exploit the advantages of both.. Table 1-4. Probabilistic design analysis (PDA) is discussed in Lesson XV. along with the effects of timing on the response of a system to a challenge. If quantitative data are not available. This means the analyst starts by looking at a high level system failure and proceeds down into the system to trace failure paths. and event trees are generated both in the success and failure domains. .. Lecture slides covering fault tree analysis.comlsvt) ./ . .. Reliability Block Diagram VI Fault Tree Analysis= VII Success Tree Analysis VIII . Table 1-4 presents symbolic logic techniques discussed in this section and their characteristics. Probabilities are propagated through the logic models to determine the probability of system failure or success. Cause-Consequence Analysis" XI . Directed Graph Matrix Analysis XII • Lecture slides are available (http://www. rather than exact determination of expected reliability levels. . Classically.comlsvt).. Lecture slides for failure mode information propagation modeling are available at http://www. the analyst repeatedly asks "What will cause a given failure to occur?" The analyst views the system from a "top-down" perspective. Cause-consequence analysis. and how and where the information should be measured in a system to detect the onset of a failure mode that could damage the system.sverdrup.comlsvt) for fault tree analysis in the absence of quantitative data (combinatorial analysis)./ ./ . .comlsvt. the reliability.sverdrup./ . reliability diagrams are generated in the success domain. then subjective probability estimates may be used as described in Lesson XII. .sverdrup. This technique allows the analyst to determine what information is needed. event tree analysis and the transformations between these analyses are available. The use of confidence bands is important./ Each symbolic logic technique has its advantages and disadvantages. Probability data may be derived from available empirical data or found in handbooks.. Often the value is in a comparison of numbers that allows effective resource allocation./ . Caution must be exercised when quoting reliability numbers. i... Lecture slides are available (http://www. Finally./ . probabilistic risk assessment (PRA) is discussed in Lesson XVI. Symbolic Logic Techniques Technique Lesson Success Domain Failure Domain Forward (Bottom-Up) Backwards (Top-Down) .. along with lecture slides for cause-consequence analysis (http://www. Fault trees are generated in the failure domain. Methods are presented in Lesson X to transform any of the models into the other two by translating equivalent logic from the success to failure or failure to success domains.system and their functions. allows the analyst to model partial failure/success. . is a bottom-up technique. When using backwards logic to build a model. the FMEA.

system safety practice seeks to produce an umbrella-style approach to which all system safety problems will succumb. Knowledge will be gained as the product/process life cycle moves forward. etc. including the design of semiconductor manufacturing facilities. Each has more or less virtue in some applications than in others. annotated. health. This approach to continuous process improvement is shown graphically in Appendix A. there is no model that has both a bumper jack and a lobotomy kit among its inventory of tools. compendium of techniques can help guide the selection of technique(s) that are appropriate for an application[2. leading to changes in design. materials. Development of that analytical "toolbox" as part of an engineering education is a primary purpose of this document. The designer's "up stream" knowledge of the safety issues allows for the cost-effective integration of safety. manufacturing methods. and constraints. This knowledge or "lessons learned" can be applied at earlier stages of the product life cycle.SYSTEM SAFETY AND THE DESIGN FUNCTION When new products or processes are developed. and consumer products. The retained knowledge (lessons learned) and new technology drive the safety program planning. the techniques have clever names that spell out memorable acronyms. System safety aspects of software are not treated in this module. each of which is cherished for the insights it provides. 4]. there is a mixture of retained knowledge. Usually. hazard identification and analyses. as well as the safety criteria. combined with new technology that is fashioned into the new design. and environmental considerations at all points of the product life cycle. . Recourse to a dispassionate. Many modem systems are software-controlled. Appendix A provides a schematic description of the system safety approach as it is successfully used in various settings. chemical and food processing plants. The safety literature is replete with articles describing one-size-fits-all analytical techniques. inspection. requirements. The notion that one analytical approach exists that is overwhelmingly superior to all others will not die as long charlatans and shallow thinkers perpetuate the myth. FINAL WORDS OF CAUTION The search continues for the ideal system safety analytical method. Rather. Even as physics struggles to develop a unified field theory. and the papers that describe them have been given no benefit of sound technical review by peer practitioners. Each analytical technique presented in this module has its advantages and its shortcomings. air and ground transportation systems. Operations research experts point out that the variability of systems and permutations of failure opportunities within systems make analyses of those failure opportunities intractable by a single analytical approach. neither does the quest to invent the universal technique. The design engineer/analyst is well-served by a "toolbox" of system safety analytical techniques. Just as the search among existing analytical methods for the ideal one does not end. Although the Swiss army knife is a marvelous combination of tools. This has resulted in increasing recognition of the importance of integrating software safety efforts within the system safety program[3]. the designer seldom begins with a blank canvas.

principles and practices. ed. RA. New York. 1-1. WW. HE. NJ: Prentice-Hall. T. with· worked examples. [1990]. Safeware: system safety and computers. CFR. New York: Addison-Wesley Company. DG [1991]. SDP 127-1. eds.REFERENCES 1. Albuquerque. DC: U. Handbook of system and product safety. Raheja. Publishing 3. NY: McGraw-HilL Roland. 2nd ed. Leveson. [1997]. W [1972]. Government Printing Office. Air Force Space Division [1987]. 2nd ed. 5.S. SUGGESTED READINGS Bemold. NY: Elsevier. Moriarty. NY: Wiley Interscience. System Safety Society. Office of the Federal Register. Assurance technologies . System safety handbook for the acquisition manager. Washington. Talso. New York. Industrial risk management: a life-cycle approach. Guidelines for hazard evaluation procedures. Hammer. Code of Federal regulations. B [1990]. NY: American Institute of Chemical Engineers. New York. New York. NG [1995]. 1-13 . System safety engineering and management. Stephans. Center for Chemical Process Safety [1992]. Englewood Cliffs. 2nd ed. 2. NM: New Mexico Chapter. 4. p. System safety analysis handbook.

SAMPLE DISCUSSION AND EXAMINATION 1. 3. At what point during the product/facility/system life cycle should a system safety program be implemented? When can it be implemented? How is risk evaluated? "What is meant by the term "target" in system safety practice? 1-14 . 4. QUESTIONS 2. Contrast the perspective of the reliability engineer with that of the system safety engineer.

9. 12. . 4.LESSON II RISK ASSESSMENT MATRIX PURPOSE: OBJECTIVE: To introduce the student to the foundation and use of the risk assessment matrix. 8. calibration and use of the risk assessment matrix Importance of exposure interval Concept of multiple targets or exposed resources Risk Severity Probability Worst credible case Iso-risk contour Risk tolerance boundaries Risk acceptance zones Mishap Hazard Target Resource Exposure SPECIAL TERMS: II-I .4. 1. 5. 3. 10. 6. acquaint the student with the following: Defmition of risk Defmition of severity Definition of probability The concept of the risk plane The iso-risk contour Construction. 2. 5. 2. 11. 7. 7. 3. 8. To 1. 6.

II-2 .

The risk posed by a given hazard to an exposed resource can be expressed in terms of an expectation of loss... © 1997 Figure provided courtesy of Sverdrup Technology. The definition of risk and the principle of the iso-risk contour are the basis for this technique. . The severity and probability dimensions of risk define a risk plane. Risk plane . the combined severity and probability of loss. Inc. Tennessee (1) Figure II-I.. --.. Risk is the product of severity and probability (loss events per unit time or activity). Tullahoma. not worst conceivable case.comlsvt for two sets of lecture slides (Concepts in Risk Management and Working with the Risk Assessment Matrix) that support this lesson. it will result in a non-viable analysis. or conditions. The concept of the iso-risk contour is useful to provide guides. Failure to assume credible (even if conceivable is substituted) may result in an optimistic analysis. convention. ~ 1ij ffi CII Risk is constant along any iso~risk contour. exposure interval.//- II-3 . define a RISK PLANE. iso-risk contours depict constant risk within the plane. or the long-term rate of loss. Risk should be evaluated for the worst credible case. Please see http://www. the two variables that constitute risk. SEVERITY and PROBABILITY.sverdrup. As shown in Figure II-I. Note: the probability component of risk must be attached to an exposure time interval.DESCRIPTION The risk assessment matrix is a tool to conduct subjective risk assessments for use in hazard analysis[l].. and acceptance limits for risk assessments (see Figure II-2).

occasional. Use of this tool allows an organization to institute and standardize the approach to perform hazard analyses. Approximate the continuous. an iso-risk contour gives its probability at all severity levels. but may also be performed in the conceptual trade studies phase.credible severitv of outcome. critical. Note: A target or resource is defmed as the "what" that is at risk. These risks are expressed in terms of severity and probability. improbable. (2) Categorize and scale the subjective severity levels for each target or resource. Tullahoma. Iso-risk contour usage APPLICATION The risk assessment matrix is typically performed in the design and development phase.) 1 RISK ASSESSMENT GUIDES: If risk for a given hazard can be assessed at !!. legal.2 RISK ASSESSMENT CONVENTION: If possible. and impossible (adopted from MIL-STD-882C [2]). (3) Create a matrix of consequence severity versus the probability of the mishap (the event capable of producing loss). (It'll fall at the top end of its own iso-risk contour. and negligible.) o~ __ ~ __ ~ ~ PROBABILITY o i!ll1997 Figure provided courtesy of Sverdrup Technology.m: severity level. One typical breakout of targets or resources is personnel. iso-risk contour functions in the risk plane with matrix cells (see Figure 11-3). marginal. and environmental effects. remote. assess Risk for the worst. (M2l!!. defmed in Lesson III. Note that management-not the analyst-establishes and approves the risk tolerance boundaries. Management will consider social. but nQ! <!!! hazards behave this way. such as catastrophic. product loss. PROCEDURES II-4 . probable. This technique is used as a predetermined guide or criterion to evaluate identified hazards. and fmancial impacts when setting risk tolerance boundaries. such as the preliminary hazard analysis (PHA). such as frequent. Be wary of exceptions usually high-energy cases. Inc. downtime. Tennessee [1] Figure 11-2. Procedures for developing a risk assessment matrix are presented below [1J: (1) Categorize and scale the subjective probability levels for all targets or resources. These matrix cells fix the limits of risk tolerance zones.. equipment.

.• Tullahoma..e... _ R I T Y "' E E - . ... i.. . Inc .~...a)..-.....e.--." is an exception (see Figure II-4.. (1) unacceptable. Link the risk matrix to a stated exposure period.c). Establish only as many risk zones as there are desired categories of resolution to risk issues. This calibration point should be used as a benchmark to aid in evaluating other... "impossible.. "Zoning" the risk plane into judgmentally tractable cells produces a matrix.. When evaluating exposures. the exposure period is typically 25 years. Assign its risk to the highest level severity cell just inside the acceptable risk zone.«< -\ . Risk plane to risk matrix transformation (4) The following hints are helpful for creating the matrix: Increase adjacent probability steps by orders of magnitude. i. otherwise risk acceptance will be variable.. iso-risk contour functions in the risk plane. too many steps add confusion with no additional resolution (see Figure II4. (2) accepted by waiver. ~ . . The scenario should be familiar to potential analysts or characterize a tolerable perceivable threat...~~ <. Steps in the matrix define risk tolerance boundaries. All stakeholders (management or the client) who participate in establishing the risk acceptance matrix must be informed of any changes to the exposure interval for which the matrix was calibrated. . a consistent exposure interval must be selected.. II-5 . Since the assessment is subjective.:.b). (5) Calibrate the risk matrix by selecting a cell and attaching a practical hazard scenario to it. -- ~~~~~ . Tennessee [1] Figure II-3. PROBABIUTY Matrix cells approximate the continuous. make sure every one-step pathdoes not pass through more than one zone (see Figure II-4. The lowest step. An event for which the probability of occurrence is judged as remote during an exposure period of 3 months may be judged as frequent if the exposure period is extended to 30 years. less familiar risks. and (3) routinely accepted (see Figure II-4. IV PROBABIlITY © 1997 Figure provided courtesy of Sverdrup Technology.~--. For occupational applications.d).S V. "'V"IC-::-. Avoid discontinuities in establishing the risk zones. . Avoid creating too many matrix cells. . IV.. .~~~...

A.. Keep it SIMPLE! 4 x 6 = 24 cells is better than 7 x 12 84 cells = Figure II-4b.. C E D B ..'\ ~ ..'-' .." l'-: H G FED C B\ A ~ l'. ••• but F = 0 ("Impossible") = 10 x E = 10 x D B = 10 x C A = 10 x B D C r F S E V 0 ......... rr.. ~ = F. Helpful hints in creating a risk assessment matrix (Continued) II-6 ._" ._'\ :-- ~ V VI VI I I FLAWED II F PROBABILITY S E V E II R I T Y III IV PROBABILITY E 0 B A Y ~ ?E . !\: .. Don't create too many cells ©1997 Figures provided courtesyof Sverdrup Technology.. Inc. Added steps become confused/meaningless. Tennessee [l] Figure 11-4.'\ ~ I'--... c. Tullahoma. A Severity Level III is OSHA-Recordable ~11I[=I=I~0)~31:]~~~~~ IV PROBABILITY E II R Figure II-4a... ~ r-..: .. Subjective judgment can't readily resolve more than six discrete probability steps.....Factors of ten separate adjacent probability steps.. Useful conventions L I S E K J I n V nI Y + E R IV = 1= -...

. IV PROBABILITY Figure II-4c. But what are the rational functions for the many levels? F PROBABIUTY S E V E II R I T y III E Three zones will usually suffice. A hazard's risk is either . Helpful hints in creating a risk assessment matrix (Concluded) II-? .." or even more. • (3) Routinely accepted • (2) Accepted by waiver. or • (1) Avoided. IV PROBABILITY Figure II-4d.. Avoid discontinuities S E V E II R I T y III A 24-cell matrix can be resolved into 9 levels of "priority.F S E V E II Can a countermeasure make the "leap" from zone (1) to zone (3) in a single step? R I T Y III IV PROBABILITY F S E V E II R I T y III E Make every one-step path from a high risk zone (1) to a lower risk zone (3) pass through the intermediate zones (2). Don't create too many zones ©1997 Figures provided courtesy of Sverdrup Technology. Tennessee [IJ Figure II-4. Tullahoma. Inc.

Inc . Tullahoma. Severity of Consequences F IMPOSSIBLE E IMPROBABLE Probability of Mishap·· CATASTROPHIC II CRITICAL III MARGINAL IV CD Actions Imperative to suppress risk to lower level. Operation permissible. Operation requires written. provided courtesy of Sverdrup Technology.. NOTE : Personnel must not be exposed to hazards in Risk Zones 1 and 2. Tennessee [1J © 1997 Figure Figure II-5. time-limited waiver. Figure II -6 shows sample interpretations of the severity and probability steps for this matrix. adapted from MIL-STD-882C [2]. "Adapted from MIL-STD-882C "Life Cycle = 25 yrs. EXAMPLE Figure II-5shows a typical risk assessment matrix. endorsed NEGLIGIBLE Codel by management.. Typical risk assessment matrix II-8 .

.g E a ~ a:I -0 "0 (]) ..... . -I- > >0 !::ew...JoO::« -....!!. I'O.i .::« ... __ U-9 . II 1/ "" 13 >() (J) g 1/ r' () "" <:» 0 co I- m ~ ~ .~ ID .uO U)U)e:: §! 0....» ~ «gOe:: ID~Q. is 21Wu ::2w 2 LL OLL CLW ~ w / 1/ u._::./-- ~~ Q)(I)o::::i m men ..Q)mlD Q)O« Q. ·en ~ ... _.ee:: .~ Clol O .3:: s:::: s:::: e" ~ 0.W •... u:> s.W 0-><1a:a:lw2l: Q.1a..

and improves resource distribution for mitigation of loss resources. The risk matrix provides a standard tool of treating the relationship between severity and probability in assessing risk for a hazard. LIMITATIONS The risk assessment matrix has the following limitations [1]: The risk assessment matrix can only be used if hazards are already identified. II-tO . allows operating decisions to be made. Subjective risk assessment avoids unknowingly accepting intolerable and senseless risk. Without data.ADVANTAGES The risk assessment matrix has the following advantages [1]: The risk matrix provides a useful guide for prudent engineering. this tool does not assist the analyst in identifying hazards. this method is subjective and is a comparative analysis only.

comlsvt). Washington. Clemens. Washington.development of guidelines. Section 807. Nuclear Regulatory Commission [1980]. MIL-STD-882C. National Aeronautics and Space Administration [1970]. U. Section 1910. Vol. CFR. u.S. II-II . Risk-based inspection .119 (e). 5000.REFERENCES 1. Washington. Department of Defense [1993].36. DC: Ll.sverdrup.9.. System safety. 2.S. Washington. S. System safety engineering and management. Inc. DC: Nuclear Regulatory Commission. 29. Government Printing Office.1 (volume 3).S. 21. NUREG/GR-0005. Office of the Federal Register. 2nd ed . Code ofF ederal regulations. TN: Sverdrup Technology. Pre-market notification (medical devices). No. Department of Defense Instruction. DC: U. PL [1993]. (available at http://www.S. Working with the risk assessment matrix (lecture notes). Department of Defense. Vol. DC: National Aeronautics and Space Administration. Office of the Federal Register. DC: U. Department of Defense [1970]. SUGGESTED READINGS CFR. Washington. Code of Federal regulations. Government Printing Office. Tullahoma. System safety program requirements. Process safety management of highly hazardous chemicals. NHB 1700.

12. 14. 8. 9. If the risk assessment matrix is then used to guide the enterprise's decision making for a system that is intended to be placed in service for 60 years. what is the usual ratio between adjacent probability steps (except for the probability step labeled as "impossible")? . 3. 4. What is the basis for the iso-risk contour? What is the definition of risk? When is a product/system/facility considered safe? Who in an enterprise establishes risk tolerance levels? What is meant by "calibrating" a risk assessment matrix? What role does society play in establishing risk tolerance boundaries? What role do the finances of the enterprise play in establishing risk tolerance boundaries? Why is it important to establish an exposure interval when evaluating risk? What exposure interval is commonly used for occupational safety and health exposures? Suppose that an enterprise establishes a risk assessment matrix. 13. QUESTIONS 2. 11. 10. using a nominal 25-year exposure interval. 6. 7. what problems may result? How does the risk assessment matrix recognize the various targets or resources of interest? When should an enterprise's risk assessment matrix be revised or reviewed? What role does the risk posed by automobile travel play in establishing risk tolerance levels? What are typical targets for which the risk assessment matrix should be calibrated? How many tolerance zones should appear on a well constructed risk assessment matrix'[ In a risk assessment matrix. 15.SAMPLE DISCUSSION AND EXAMINATION 1. 5. II-I2 . 16.

10. Advantages of preliminary hazard analysis 6. 8.LESSON III PRELIMINARY HAZARD ANALYSIS PURPOSE: OBJECTIVE: To introduce the student to the concept and application of preliminary hazard analysis. Control Consequence Mission phase Life-cycle SPECIAL TERMS: 2. 11. ---- 6. 9. Role of preliminary hazard analysis in the integrated system safety approach 3. Timing for preliminary hazard analysis 5. 7. Purpose of preliminary hazard analysis 2. Hazard Target Resource Severity Probability Risk Countermeasure .. To acquaint the student with the following: 1. 5. Procedure for performing a preliminary hazard analysis 4. . Limitations of preliminary hazard analysis 1. III-I . 4. 3.

1lI-2 .

DESCRIPTION A preliminary hazard analysis (PHA) produces a line item tabular inventory of non-trivial system hazards. etc. State other assumptions such as whether the assessment is based on an as-built or as-designed system. A list of proven methods for finding hazards is presented below: Use intuitive "engineering sense. This is so because each technique attacks the system to be analyzed differently-some are top-down. emergency shutdown. PROCEDURES III-3 . etc. and consensus standards. such as brainstorming. but that assessment should be reviewed by a peer. A hazard is defined as an activity or circumstance posing potential loss or harm to a target and is a condition required for an undesired loss event. regulations. others are bottom-up. startup. This tool is applied to cover whole-system and interface hazards for all mission phases. facilities. Procedures for performing PHAs are presented below [1]: (1) Identify resources of value tobe protected. assessments ofrisks. standard operation. environment. at any point in the life cycle of a system. These limits may be the risk matrix boundaries defined in a risk assessment matrix (see Lesson II). deactivation. maintenance. This tool allows early definition of the countermeasure type and incorporation of design countermeasures as appropriate. These resources are potential targets. A PHA may be carried out. Define the physical boundaries and operating phases (such as shakedown. Also often included is a tabular listing of countermeasures with a qualitative delineation of their predicted effectiveness. Identify the targets threatened by each hazard. mechanism (process) and outcome (consequence). Examine system specifications and expectations.). mission or test objectives. A team approach to identifying hazards. Review codes. such as personnel. Hazards should be distinguished from consequences and considered in terms of a source (hazard)." Examine and inspect similar facilities or systems and interview workers assigned to those facilities or systems. It is important to remember that each analytical technique discussed in this module complements (rather than supplants) the others. (2) Identify and observe the levels of acceptable risk that have been predetermined and approved by management or the client. If schedule and resource restraints are considerations. productivity. not quantitative. (4) Detect and confirm hazards to the system. is recommended over a single analyst. however. or whether current installed countermeasures will be considered. equipment. Though it has long been sought. A PHA is an early or initial system safety study of system hazards. APPLICATION PHAs are best applied in the design and development phase but may also be applied in the concept definition phase. and an assessment of their remaining risk after countermeasures have been imposed [1]. there is no "Swiss army knife" technique that answers all questions and is suitable for all situations. This inventory includes qualitative. then a proficient engineer with knowledge of the system should identify the hazards. (3) Defme the extent of the system to be assessed.

weeks. will induce two or more fault/failure conditions within a system. draw on the experience of several experts as opposed to a single analyst. Consider all energy sources. Consider "external influences" such as local weather.mishap files." A common cause is a circumstance or . or each human operator working life span. manufacturer's reliability analyses. then the assessment will underestimate the true risk unless the risk acceptance criterion is adjusted accordingly. Consider "common causes.mentally develop credible problems and play "what-if' games. III-4 . or months are too brief to be practical. Since probability is determined in a subjective manner. This interval can be in terms of time. if unacceptable.Interview current or intended system users or operators. Brainstorm . or personnel tendencies. The interval should depict the estimated facility. Review system safety studies from other similar systems. The matrix should be consistent with the established probability interval and force or fleet size for this assessment. equipment. etc. An interval of25 to 30 years is typically used and represents a practical value. Probability intervals expressed in hours. near-miss reports. if it exists. (7) Categorize each identified risk as acceptable or unacceptable. OSHArecordable injury rates. Consider all mission phases. environment. days. what happens ifthey get out of control? (5) Assess worst-credible case (not the worst-conceivable case) severity and probability for eacb hazard and target combination. Consult checklists (see Appendix D). population. (6) Assess risk for each hazard using a risk assessment matrix (see Lesson II). Review historical documents . A probability interval must be established before probability can be determined. The probability for a given hazard varies as a function of exposure time. National Safety Council data. If a short-term probability interval is used. or number of cycles or operations. envirorunental condition that. and operational phase. Keep the following considerations in mind during the evaluation: Remember that severity for a given hazard varies as a function of targets and operational phases. or develop countermeasures for the risk. target. What's necessary to keep them under control.

is also typically in decreasing order of cost and schedule impact (i. to replace the safety devices after servicing. (10) If countermeasures are developed. A trade study might be performed to determine a countermeasure of adequate effectiveness and minimized program impact.to refrain from attempting to defeat the engineered safety systems. III-5 .(8) Select countermeasures in the following descending priority order to optimize effectiveness: (1) design change.. If added hazards or degraded performance are unacceptable. Note that this delineation. determine new countermeasures and reevaluate the risk.e. design changes have the highest potential for cost and schedule impact). (3) safety devices (passive). to heed the warning devices. Note also that the list is . Figure III-I is a flowchart summarizing the process to perform a PHA. (9) Re-evaluate the risk with the new countermeasure installed. and (5) proceduresand training. determine whether they introduce new hazards or intolerably diminish system performance. although in decreasing order of effectiveness. (2) engineered safety systems (active). in increasing order of reliance on the human operator or maintainer . and to remember procedures and training. (4) warning devices.

~"".._._ for each ~ . . (b) operating (~..._.. no countermeasures in place) etc. other . 'SCOPE" system as to: (a) physical boundaries.... ........ IDENTIFY! ~ 0 0 0 CD "'-"'7~O~...i~~t...._ ._.:::~~~!!.. .........._..... Preliminary hazard analysis process flowchart III-6 .\ phases (e..~t'~f~~r.9.. develop NEW COUNTERMEASURES! Do the countermeasures IMPAIR system performance? •• 0 ©1997 Figure courtesyof Sverdrup Technology."..Preliminary Hazard Analysis Process Flow CD CD Recognize RISK TOLERANCE LIMITS Identify TARGETS to be protected: (i. startup.~~~~~........ __ ~ ~ TARGET/HAZARD ~ cornblnanon.....~~~...~~~..._._._ ' .. if so.. ~' USE RISK MATRIX -~ ~ MATRIX must be defined for and ' ~ must match the assessment Probability IntelV~1 and • ~ Force/Fleet Size..:::~~.....'........ as·is... Tullahoma..... ~ Describehazard: maintenance).....'". : '... Risk Matrix Boundaries) • Personnel • Product • Environment • Equipment • Productivity ' ....~~~. emergency stop. ....... Do the countermeasures introduce NEW hazards? ® 0 0 0 or.... ~ ~ ~ ASSESS RISK ~ .._.C~~d~i~~'P.... ~ REPEAT.------.Inc...Tennessee[J] Figure III-I." ~ ~ VERIFY HAZARDS DEVELOP COUNTERMEASURES AND REEVALUATE EVALUATE WORST·CASE SEVERITY -~ EVALUATE PROBABILITY ~~ ~"''''''_'''_''''''''''''''''''''''''''''''''''''''._. . e... go. shakedown. and (c) other assumptions made (e. g.....~~.......... asdesigned.. standard run._ ..........

-. Provide personal protective equipment (Scnedule 4) and training for '-I. subsystem.. Typical preliminary hazard analysis Note that the worksheet from this example contains the following information: Brief description of the portion of the system. Date of analysis.lnup crew (SiP). Tullahoma..respolnsel'cl". III-7 . System number.own (P). Hazard (description and identification number). wltn gravity runoff conduit led to Detecto-Box'" containing detector/alarm device and chemical neunanzer (S/W). © 1997 Figure provided courtesy of Sverdrup Technology. and re-gasketdorlng annual plant maintenance shutd."!-'l. Inspect flange seal at 2-montn Intervals. • Declaration of the probability interval. Inc. (A blank form is included in Appendix B./..) Identify countermeasures by appropriate code lener(s): 0= Design AI""a~on E = Engineered Safety Feature S = Safety Device W Warning Device P = Procedures/Training = Surround fiange wllt1 sealed annular stainless steel catcnment noustnq. EXAMPLE Figure III-2 shows an example of a completed PHA worksheet (from [l]) for a pressurized chemical intermediate transfer system. or operation covered in the analysis. Tennessee [l] Figure III-2.

probability level. the assessment will be flawed. see Figure II~5). While on the other hand. LIMIT ATIONS A PHA has the following limitations [1]: A PHA fails to assess risks of combined hazards or co-existing system failure modes. Risk assessment after countenneasuresare considered. Although helpful. and risk priority code (zone from risk matrix. equipment. and risk priority code.. Provides a relatively quick review and delineation of the most significant risks associated with a system. analyst(s) if it is to be effective. downtime. product environment). Signature blocks for the analyst and reviewers/approvers. an organization may create for their operation. Therefore a false conclusion may be made that overall system risk is acceptable simply because each identified hazard element risk is acceptable when viewed individually. and . probability level. if too many targets or operational phases are chosen. ADVANTAGES example is typical. If inappropriate or insufficient targets or operational phases are chosen. Provides a logically based evaluation of a system's weak points early enough to allow design mitigation of risk rather than a procedural or inspection level approach: Provides information to management to make decisions to allocate resources and prioritize activities to bring risk within acceptable limits. For example. including severity level. ~ III-8 . . including severity level. different target types care should be given to designing the form to encourage a PHA is not a structured approach that assists the analyst Assuch. Description of countermeasure (with codes for various types). Risk assessment before countermeasures are considered. However.Hazard targets (check boxes for personnel. the effort becomes too large and costly to implement. great effective use. The PHA worksheet used in the their own worksheet customized may be listed. In any case. in identifying hazards or threats. it relies on the skill and experience of the A PHA provides the following advantages [1]: Identifies and provides a log of primary system hazards and their corresponding risks.

Tullahoma. W [1972]. SUGGESTED READINGS Browning. New York: John Wiley & Sons. III-9 . TN: Sverdrup Technology. Englewood Cliffs. (available at http://www. System safety. Handbook of system and product safety.sverdrup. U.REFERENCES 1. Kumamoto. Inc. Albuquerque. WW. New York: Marcel Dekker. Moriarty. Inc. System safety engineering and management. NM: New Mexico Chapter of the System Safety Society. Stephans. Henley. 2nd ed. System safety: technology and application. System safety engineering and management.comlsvt). New York: The Institute of Electrical and Electronic Engineers. DG [1991]. Air Force [1982]. H[1991].S. Inc. System safety analysis handbook. ~" Mohr. Army [1990]. Talso. Roland. U S. Raheja. Air Force Systems Command design handbook DH 1-6. 2nd ed. Inc. RL [1980]. SW [1982]. Assurance technology and application. RA. Malasky. eds.principles and practices. New York: Garland STPM Press. The loss rate concept in safety engineering. HE. Probabilistic risk assessment. 4th ed. Preliminary Hazard Analysis (lecture presentation). RR [1993]. B [1990]. NJ: Prentice-Hall. [1997]. EJ. New York: McGraw-Hill. Hanuner. Inc. Army Regulation 3895-16.

SAMPLE DISCUSSION AND EXAMINATION QUESTIONS 1. What is the primary limitation of a preliminary hazard analysis? Can system risk be properly evaluated by means of a preliminary hazard analysis? Instructors can obtain presentation slides for a workshop problem entitled.com!svt. What are the primary reasons for performing a preliminary hazard analysis? During what phase of a product/facility/system life-cycle can a preliminary hazard be performed? What are the advantages of a preliminary hazard analysis? . 3. "Furry Slurry Processing"at http://www.sverdrup. III-lO . 5. 4. 2.

4. 3. Use of energy flowlbarrier analysis in emergency response situations 6. To acquaint the student with the following: 1. Barrier Target Energy source Countermeasure Energy flow Energy traceibarrier analysis SPECIAL TERMS: IV-I . barriers and targets which are considered when doing an energy flowlbarrier analysis 3. Use of energy flowlbarrier analysis as a "thought model" when completing a preliminary hazard analysis 4. 5. 2.LESSON IV ENERGY FLOW/BARRIER ANALYSIS PURPOSE: OBJECTIVE: To introduce the student to the concepts and applications of energy flowibarrier analysis. 6. Advantages and limitations of energy flowlbarrier analysis 1. Use of energy flowlbarrier analysis in the occupational setting 5. Philosophical foundation for energyflowibarrier analysis 2. Types of energy sources. Procedure for performing energy flowlbarrier analysis 7.

IV-2 .

a hazard (energy source) poses a risk to a target if the barriers between the energy source and the target are inadequate.? Remember that every energy source could have multiple flow paths and targets. This assessment can be applied during the design and development phase but may also be applied in the operations phase or concept definition phase. there is no "Swiss army knife" technique that answers all questions and is suitable for all situations. gas. facilities. This is because each technique attacks the system to be analyzed differently-some are top-down. environment. mechanical. See http://www.sverdrup. environment. Then the analyst assesses opportunities for undesired energy flow between the sources and targets.DESCRIPTION Energy flow/barrier analysis (EFBA) is a system safety analysis tool used to identify hazards and determine the effectiveness of countermeasures employed or proposed to mitigate the risk induced by these hazards [1]. gloves. lead shields. inventory. This analysis can also be applied in failure investigations and when making "safe to enter" decisions during emergency response situations. etc. equipment. This tool is also known as energy tracelbarrier analysis (ETBA). The energyflow/barrier method is a useful supplement to the preliminary hazard analysis discussed in Lesson III. productivity. such as personnel. etc. Energy sources are identified. such as electrical. Examples of barriers include: barricades. equipment. Examples of its use in making "safe to enter" decisions include analysis of the state of all utilities (including steam. fences. chemical. mission or test objectives. radiation. facilities. etc. PROCEDURES Procedures to perform an energy flowibarrier analysis are presented below[l]: (I) Examine the system and identify all energy sources. quality. Is the energy flow unwanted or detrimental to a target? Are existing barriers sufficient countermeasures targets? to mitigate the risk to the IV-3 . (2) Examine each potential energy flow path in the system. It is important to remember that each analytical technique discussed in this module complements (rather than supplants) the others. Resources (targets) to be protected are identified. Most analysts consider EFBA as a thought process that can be used when performing a preliminary hazard analysis. production capability. such as. Barriers are countermeasures (physical or administrative) deployed against hazards caused by flows from these energy sources to targets. Though it has long been sought. safety glasses. Energy flowibarrier analysis does not employ a separate worksheet from that used for preliminary hazard analysis (PHA). etc. others are bottom-up.) before allowing rescue teams into a damaged building. That is.comlsvt for presentation slides that support this lesson. blast walls. employees. procedures. etc. Consider the following for each energy flow path: What are the potential targets. APPLICATION An energy flowibarrier analysis can be beneficially applied whenever assessments are needed to assure that an identified target (resource) is being safeguarded against a potential energy source that can impose harm. electrical.

the target.(3) Consider the following strategies to control harmful energy flow (1]: Eliminate energy concentrations Limit quantity and/or level of energy Prevent the release of energy Modify the rate of release of energy Separate energy from target in timeandlor space Isolate by imposing a barrier Modify target contact surface or basic structure Strengthen potential target Control improper energy input The reiterative process used in PHA to bring the risk associated with a hazard-target combination under acceptable levels has direct parallels in EFBA. Many analysts incorporate an EFBA approach when performing a PHA. and thus view EFBA as a variant of PHA. and the path between the source and the target. EXAMPLE Table IV-I lists strategies to manage harmful energy flows that focus on the energy source. Included are physical and administrative barriers. The EFBA is customarily documented using a tabular format similar to that used for the PHA. IV-4 .

Table IV-I. Examples of strategies to manage harmful energy flow Strategy
Eliminate energy concentrations

Examples
controllIimit floor loading disconnect/remove energy source from system · remove combustibles from welding site change to nonflammable solvent store heavy loads on ground floor lower dam height reduce system design voltage/operating pressure use small(er) electrical capacitors/pressure accumulators reducel control vehicle speed monitorlIimit radiation exposure substitute less energetic chemicals heavy-wall pipe or vessels interlocks tagout - lockouts double-walled tankers wheel chocks flow restrictors in discharge lines resistors in discharge circuits fuses/circuit interrupters evacuate explosive test areas impose explosives quantity-distance rules install traffic signals use yellow no-passing lines on highways control hazardous operations remotely · guard rails · toe boards · hard hats face shields machine tool guards dikes grounded appliance frames/housing safety goggles cushioned dashboard fluted stacks · padded rocket motor test cell interior · Whipple plate meteorite shielding · breakaway highway sign supports foamed runways select superior material substitute forged part for cast part "harden" control room bunker cross-brace transmission line tower

Limit quantity and lor level of energy

Prevent energy release

Modify rate of energy release

Separate energy from target in time and/or space

Isolate by imposing a barrier

Modify target contact surface or basic structure

Strengthen potential target

Control improper energy input

use coded

keyed electrical connectors use match-threaded piping connectors use back flow preventors

©1997 Examples provided courtesy Sverdrup Technology. Inc., Tullahoma, Tennessee [1].

ADVANTAGES

The energy flowlbarrier analysis provides a systematic approach to identify hazards
associated with energy sources and determine whether current or planned barriers are adequate countermeasures to protect exposed targets [1].

IV-5

· LIl\flTATIONS

The EFBA has the following limitations [1]: Even after a thorough analysis, all hazards might not be discovered. Like the PHA (Lesson III), the EFBA fails to assess risks of combined hazards or co-existing system failure modes. This tool also fails to identify certain classes of hazards, e.g.: asphyxia in oxygendeficient confined spaces. Because of design and performance requirements, it is not always obvious that energy may be reduced or redirected. A re-examination of energy as heat, potential vs. kinetic mechanical energy, electrical, chemical, etc. may aid this thought process.

IV-6

REFERENCES 1. Clemens, PL [1993] Energy flow/barrier analysis (lecture presentation). 3rd ed. Tullahoma, IN: Sverdrup Technology, Inc. (see http://www.sverdrup.comlsvt for presentation slides).

SUGGESTED READINGS U.S. Department of Energy [1985]. Barrier analysis. Idaho Falls, ID: System Safety Development Center, EG&G Idaho, Inc. DOE 76-45129, SSDC-29. Haddon, W, Jr. [1973]. Energy damage and the ten countermeasure strategies. Human factors. (August).

Johnson, WG [1980]. MORT safety assurance systems. New York: Marcel Dekker, Inc. Stephans, RA, Talso, WW, eds. [1997]. System safety analysis handbook. 2nd ed. Albuquerque, NM: New Mexico Chapter of the System Safety Society.

IV-7

SAMPLE DISCUSSION 1. 2. 3. 4. S. 6. 7. 8. 9.

AND EXAMINATION

QUESTIONS

What is the basis for energy flowlbarrier analysis (EFBA)? What types of energy sources can be accommodated through EFBA? What is the difference between energy flowlbarrier analysis and energy tracelbarrier analysis? Are all barriers physical? If not, give examples of those barriers that are not physical in nature. Give an example of a combination of barriers that is used to protect a target. Give examples of administrative barriers. What is the relationship between preliminary hazard analysis (PHA) and EFBA? What type of format is used to document an EFBA? How might EFBA be used to make a "safe to enter" decision after a process plant accident or in an emergency response situation? 10. Pick an industrial situation with which you are familiar and apply EFBA to assess the risk posed by an energy flow-target combination.

IV-8

8. and criticality analysis). 12. effects. 10. 6. . Basic logic offailure modes and effects analysis (FMEA) or a failure modes. 14. Typical format of FMEAlFMECA analysis worksheet 4. 3. Mode Effect Fault Criticality Probability Severity Risk Single-point failure System Subsystem Assembly Subassembly Component Worst-credible SPECIAL TERMS: 4. Failure. 15 . 11.LESSON V FAILURE MODES AND EFFECTS ANALYSIS (FAILURE MODES. 7. AND CRITICALITY ANALYSIS) PURPOSE: OBJECTIVE: To introduce the student to the procedures and applications of failure modes and effects analysis (failure modes. effects. 9. 2. Limitations of FMEAlFMECA 6. To acquaint the student with the following: 1. and criticality analysis (FMECA) 2. 13. Procedure for performing a FMEA or FMECA 3. Advantages ofFMEAlFMECA 5. V-I . Role ofFMEAlFMECA in an integrated system safety program 1. EFFECTS. 5.

V-2 .

This tool can be used to provide reassurance that the cause. with Steps 8 through 12 omitted. Establish the mission phases to be considered in the analysis. Single-point failures can be identified. its use is often guided by top-down "screening" (as described in the "Procedures" section) to establish the limit of analytical resolution. A failure modes. Steps before performing the FMEA or FMECA: (1) Defme the scope and boundaries of the system to be assessed. Contemporary analysts are coming to recognize FMEA (and FMECA) as the technique of choice to identify potential single-point failures within a system. event tree analysis. to produce meaningful results in cost-benefit studies. Gather pertinent information relating to the system.comlsvt for presentation slides which support this lesson. these analyses can be done with or shortly after the PHA (Lesson III). there is no "Swiss army knife" technique that answers all questions and is suitable for all situations. It is important to remember that each analytical technique discussed in this module complements (rather than supplants) the others. These failure mode analyses are typically performed during the design and development phase.DESCRIPTION A failure modes and effects analysis (FMEA) is a forward logic (bottom-up). assemblies. and consequent reductions in risk can be evaluated. The vulnerable points identified in the analyses can aid management in making decisions to allocate resources in order to reduce vulnerability. subsystem. FMEA and FMECA are useful tools for cost and benefit studies. to implement effective risk mitigation and countermeasures. or part levels. This is because each technique attacks the system to be analyzed differently-some are top-down. such as requirement specifications. etc. components. tabular technique that explores the ways or modes in which each system element can fail and assesses the consequences of each of these failures [1]. effects. See http://sverdrup. V-3 ." It cannot be relied on. component. descriptions. Procedures for preparing an FMEA are the same. subassemblies. Though it has long been sought. effect. These tools are applicable within systems or at the system-subsystem interfaces and can be applied at the system. Countermeasures can be defmed for each failure mode. therefore. components and parts lists. APPLICATION An FMEA can call attention to system vulnerability to failures of individual components. In its practical application. and criticality analysis (FMECA) also addresses the criticality or risk of individual failures. Logic tree methods (fault tree analysis. drawings. (2) Partition and categorize the system into convenient and logical elements to be analyzed. and associated risk (FMECA) of component failures have been appropriately addressed. and as precursors to a fault tree analysis (see Lesson VI). (3) Develop a numerical coding system that corresponds to the system breakdown (see Figure V-I). others are bottom-up. and cause consequence analysis) are now viewed as generally more useful for this purpose. Applying FMEA to complex systems having redundancy-rich architecture fails to identify or evaluate probability or penalty for system "crashes. and piece parts. During this phase. PROCEDURES Procedures for preparing and performing FMECAs are presented below [1]. These system elements include subsystems.

mission or test objectives. . such as personnel. . These resources are potential targets. etc.Component No. equipment. environment.Part No. (5) Identify and observe the levels of acceptable risk that have been predetermined and approved by management or the client. (6) By answering the following questions [1]. ask the following question for each subsystem identified in Step 2: V-4 . . productivity. These limits may be the risk matrix boundaries defined in a risk assessment matrix (see Lesson II). code number for part 2 above is 03-01-03-01-02 Figure adapted from [1].) If the answer is yes.Assembly No. Subsystem For example. Example of system breakdown and numerical coding Steps in performing the FMEA or FMECA: (4) Identify resources of value to be protected. the analysis is complete. facilities. Document the results. the scope and resources required to perform a classic FMEA can be reduced.I Subsystem 4 Subassembly 2 Component 2 Part 2 Part 3 Typical Coding System. without loss of benefit: Will failure of the system render an unacceptable or unwanted loss? If the answer is no. . (This has the additional benefit of providing visibility of non-value added systems. Figure V-I. or it may correct incomplete criteria used for the FMEA. No.Subassembly No. .

determine if they introduce new hazards or intolerable or diminished system performance. the analysis is complete. If the answer is yes for any assembly. ask and answer the following questions: • What are the failure modes for this element? What are the effects (or consequence) of each failure mode on each target? (8) Assess worst-credible case (not the worst-conceivable case) severity and probability for each failure mode. If the answer is yes for any component. the analysis is complete. ask the following question for each part of those components identified in Step 2: Will failure of this part render an unacceptable or unwanted loss? (7) For each element (system. then develop countermeasures (12) Then re-evaluate the risk with the new countermeasure to mitigate the risk. assembly. ask the following question for each component of those assemblies identified in Step 2: Will failure of this subassembly render an unacceptable or unwanted loss? If the answer for each subassembly is no. ask the following question for each component of those subassemblies identified in Step 2: Will failure of this component render an unacceptable or unwanted loss? If the answer for each component is no. The matrix should be consistent with the established probability interval and force or fleet size for this assessment. If the answer is yes for any subassembly. develop new countermeasures and re-evaluate the risk. component. and target combination.• Will failure of this subsystem render an unacceptable or unwanted loss? If the answer for each subsystem is no. (9) Assess risk of each failure mode using a risk assessment matrix (see Lesson II). effect. subassembly. the analysis is complete. (13) If countermeasures are developed. Document the results. Document the results. installed. or part) for which failure would render an unacceptable or unwanted loss. If added hazards or degraded performance are unacceptable. If the answer is yes for any subsystem. subsystem. (10) Categorize each identified risk as acceptable or unacceptable. V-5 . ask the following question for each assembly of those subsystems identified in Step 2: Will failure of this assembly render an unacceptable or unwanted loss? If the answer for each assembly is no. (11) If the risk is unacceptable. the analysis is complete. Document the results. Document the results.

(14) Document your completed analysis on an FMEA or FMECA worksheet. Countermeasures mayor may not be listed. Appendix C'gives an additional sample FMEA worksheet. Figure V-2 presents a flowchart for FMEA or FMECA. The contents and formats of these worksheets vary among organizations. V-6 . Figure V-3 presents a sample FMEA worksheet.

. Force/Fleet Size.... develop NEW COUNTERMEASURES! © 1997 Figure provided courtesy of Sverdrup Technology.... ~ -. ..... ~ . .. 14111'i:--'""-.FMEA Process Flow .~ ~. ACCEPT (WAIVER) ABANDON ® Do the countenneasures introduce NEW hazards? .. if so... ~ ~ ~ ~ } ... 2 DEVELOP COUNTERMEASURES ~ USE RISK MATRIX..:. @ Do the countermeasures IMPAIR system periormance? . ~ ..~ REPEAT for each ~ ~ MODElEFFECTfT ARGET ~ ~ ccmbination. .. ... Failure modes. Tennessee [1J Figure V-2. (and criticality) analysis process flowchart V-7 .._ :. ~ MATRIX must be defined for and ~ must match the assessment Probability Interval and . or... effects... Inc. Tullahoma.

. TARGETIRESOURCE CODE. A schematic of the system is presented in Figure V-4. P . Figure V-3_ Typical failure modes. and subassembly elements.a.: PREPARED REVIEWED APPROVED BY: BY BY: INTERVAL: .PRODUCT I D . A FMECA worksheet for the control subsystem is presented in Figure V-4.: FAll. V-8 .b illustrates the breakdown and coding of the system into subsystem. Figure adapted from [1J. and criticality analysis worksheet EXAMPLE A sample FMECA[l] is illustrated in Figure V-4.DATA I V . AND CRITICALITY ANALYSIS WORKSHEET SHEET DATE ~ OF - SUBSYSTEM SYSTEM PROB.ENVIRONMENT T a Risk Assessment Action Required! Item! Id. No. EFFECTS. Functional Identification Failure Mode Failure Cause Failure Event r g e S e v P r 0 R C 0 Comments t i s k d e b .c. assembly. effects.FMEANO: PROJECT NO.PERSONNEL IE -IlQUlPMENT I T .: NO.URE MODES.OOWNTIME I R ... and Figure V-4. The system being assessed is an automated mountain climbing rig. NO.

. System Subsystem Hoist (A) Assemblv Motor (A-D1) Subassemblv Windings (A-01-a) Inboard bearing (A-01-b) . System breakdown and coding © 1997 Figure provided courtesy of Sverdrup Technology. and criticality analysis V-9 .Figure V-4a. Tullahoma. Example of a failure modes. Inc.Outboard bearing (A-D1-c) Rotor (A-01-d) Stator (A-D1-e) Frame (A-OH) Mounting plate (A-D1-g) Wiring terminals (A-D1-h) Drum (A-02) External power source (B) Cage (c) Frame (C-01) Lifting lug (C-02) Cable (0-01) Hook (0-02) Pulleys (0-03) Electrical (E-01) START Switch(E-01-a) FULL UP LIMIT Switch(E-D1-b) Wiring (E-01-c) Cabling (D) Controls (E) Operator (E-D2) Figure V-4b. effects. Tennessee [I} Figure V -4.

" and guide in component and manufacturer selection. Start Cage does not stop. Mechanical failure or corrosion.FMEANO.6SYSTEMNO. thorough mechanism to identify potential single-point failures and their consequences. faulty assembly No response a switch. Mechanical failure or corrosion. P E T P C C C A 3 3 3 1 II P E T IV IV IV D D D 3 3 3 switch fails open. No. Example of a failure modes. incorporate "fail safe" features into the system design. NO. effects. EFFECTS. BY. and criticality analysis (concluded) ADVANTAGES Performing FMEAs and FMECAs has the following advantages [1]: Provides an exhaustive. Figure V-4c.: SYSTEM PROB. V-IO . PROJECT NO. Results can be used to optimize reliability. obtain satisfactory operation using equipment of "low reliability. Provides further analysis at the piece-part level for high-risk hazards identified in aPHA. E-Ol-b Full Up Switch Switch fails open. E-02 Wiring Cut. Cage will not move. Functional Identification Failure Mode Failure Cause Failure Event a r Risk Assessment Action Required/ Comments g e t S e v IV IV IV P r 0 R i s k C 0 d e b E-Ol-a Start Switch Switch fails closed. An FMECA provides risk assessments of these failures. These can be added to the PHA. Stop switch fails closed.: ~ FAILURE MODES. optimize designs. Mountain Climbing Rig :tears WORKSHEET INTERVAL: TARGETIRESOURCE CODE: P 0 PERSONNEL I Eo EQUIPMENT ITo DOWNTIME IR 0 PRODUCTS ID 0 DATA I V ENVIRONMENT 0 T Item! Id. Identifies hazards caused by failures that may have been previously overlooked in the PHA. Worksheet Figure V-4. ANALYSIS SHEET DATE - OF - SlJ. Cage stays in safe position.: AND CRITICALITY 30 PREPARED REVIEWED APPROVED BY: BY. Disconnected. Varmint invasion.

V-ll . often too late to guide this prioritization. A FMECA can be a very thorough analysis suitable for prioritizing resources to higher risk areas if it can be performed early enough in the design phase. especially when performed at the parts-count level within large. and guidelines/check sheets are available for assistance. However. LIMITATIONS The following limitations are imposed when performing FMEAs and FMECAs [1]: Costly in man-hour resources. If too much emphasis is placed on identifying and eliminating single-point failures.Provides a mechanism for more thorough analysis than a fault tree analysis.to obtain for a FMECA. Probabilities or the consequences of system failures induced by co-existing. Failure probability data are often difficult. since every failure mode of each component of the system is assessed [6]. This analysis depends heavily on the ability and expertise of the analyst for finding all necessary modes. Although systematic. the level of design maturity required for a FMECA is not generally achieved until late in the design phase. multiple-element faults or failures within the system are not addressed or evaluated. /~. no check methodology exists to evaluate the degree of completeness of the analysis. Human error and hostile environments frequently are overlooked. then focus on more severe system threats (posed by co-existing failures/faults) may be overlooked. complex systems.

TN: Sverdurp Technology. Inc. DF. RA. V-12 . B [1990J. Albuquerque. Procedures for performing a failure modes. NUREG-0492. MIL-STD-1629A.S.S. Vesely. FF [1981].REFERENCES 1. (available at http://www. Roland. Mohr. Stephans. 2nd ed.principles and practices. London: Butterworths. Lees. Raheja. System safety engineering and management. New York: Prentice-Hall. [1997]. D [1989]. Failuremodes and effects analysis (lecture presentation). Goldberg. Moriarty. Department of Defense [1980J. SUGGESTED READINGS Layton. WW. Talso. NM: New Mexico Chapter of the System Safety Society. effects.System safety analysis handbook. U. Fault tree handbook. FP [1980]. and criticality analysis. NH. Loss prevention in the process industries (2 volumes). RR [1992]. New York: John Wiley & Soos. Chester. eds. WE. 2nd ed. Tullahoma. System safety . Assurance technologies .sverdrup. Government Printing Office. DG [1991]. 6th ed. HE. DC: U. Roberts.including DOD standards. Haasl. Washington. .com!svt). OH: Weber Systems Inc.

7. QUESTIONS What is the difference between a fault and a failure? What is a single-point failure? Does a classic FMEA allow prioritization of single-point failures? Why or why not? What are the differences between an FMEA and an FMECA? Describe a strategy for minimizing the time required to perform an FMECA (as well as the size of the resulting document).sverdrup. 4. What is a major weakness of the FMEA or FMECA technique? Can an FMEA be (usefully) performed in the conceptual design phase of a project? Can anFMECA be started before a risk assessment matrix has been constructed? How does FMEA deal with co-existing faults/failures? The instructor may obtain presentation slides for a workshop problem entitled. 3. 8.SAMPLE DISCUSSION AND EXAMINATION 1. 2. V-13 . 5.comlsvt. "Furry Slurry Processing" at http://www. 6. 9.

.

3. 6. 4. acquaint the student with the following: Symbology of reliability block diagram Depiction of series and parallel circuits Procedures for performing reliability block diagram analysis Reliability bands System reliability Reliability Series circuit Parallel circuit Series-parallel circuits Parallel-series circuits Reliability band SPECIAL TERMS: VI-l . 3. 2. 5. 4. 1. 5.LESSON VI RELIABILITY BLOCK DIAGRAM PURPOSE: OBJECTIVE: To introduce the student to the procedures and application of reliability block diagram analysis. To 1. 2.

VI-2 .

However. Each block represents an event or system element function. Type of Circuit Series Simple reliability block diagram construction System Reliability #.2]. These blocks are connected in series if all elements must operate successfully for the system to operate successfully. parallel. A diagram may contain a combination of series and parallel circuits. RBDs illustrate system reliability. Table VI-I. Each RBD has an input and an output and flows left to right from the input to the output. The system operates if an uninterrupted path exists between the input and output [1.DESCRIPTION A reliability block diagram (RBD) is a backwards (top-down) symbolic logic model. component. these blocks typically depict system element functions only.[(1-R (l-Ram A ) (1.2]. = I -[(l-(RARa)) (I-(RA))] # Assumes all components function independently of each other. Reliability is the probability of successful operation over a defined time interval. Blocks may depict the events or system element functions within a system. VI-3 . Simple RBDs are constructed of series. subassembly. or part [1. A system element can be a subsystem. and their derivations are found in [2]. These blocks are connected in parallel if only one element needs to operate successfully for the system to operate successfully.[(I-RJ (l-~)]) Parallel-Series R. = (1 . or combinations of series and parallel elements (see Table VI-I). Each element of a block diagram is assumed to function (operate successfully or fail) independently of every other element. Block Diagram Representation Parallel R. generated in the success domain. The relationships between element reliability and system reliability for series and parallel systems are presented below.

others are bottom-up. APPLICATION An RBD allows evaluation of various potential design configurations [2]. I =RRR I 2 3. n. G and B. Typical complex reliability block diagram It is important to remember that each analytical technique discussed in this module complements (rather than supplants) the others. as presented in Figure VI-l. . Notice that in this example. there is no "Swiss army knife" technique that answers all questions and is suitable for all situations. Required subsystem and element reliability levels can be determined to achieve the desired system reliability. this is not a true series or parallel arrangement.. This is because each technique attacks the system to be analyzed differently-some are top-down. system element reliability. n = = system reliability. These systems must be modeled with a complex RBD. if component E fails. Some complex systems cannot be modeled with true series and parallel circuits. then paths B. Though it has long been sought. H are not success paths. Typically.. Figure VI-I. An RBD may also be used to identify elements and logic as a precursor to performing a fault tree analysis (Lesson VII). these functions are performed during the design and development phase.Series Systems n Rg=UR. E. Thus. E. Parallel Systems n Rs=l-II(1-Ri)=[l-[(l-Rl I )(1-~)(1-~) ····(l-~)]] where Rs = R. and number of system elements (which are assumed to function independently) Not all systems can be modeled with simple RBDs. VI-4 ..

the reliability band ranges from a low (~L) to a high to a (~H) estimate. Using a mathematical representation of the system. (3) Calculate system reliability band. Continue this process until one of the above four basic arrangements remains. For series systems with n elements that are to function independently. e. Then treat each parallel branch as an element in a series branch and determine the system reliability by using the equations in Item 3a. both of which are selected by the analyst.. procedures (adapted from [2]) to generate a simple RBD are presented below. Table VI-2 present the estimated reliability band for each component over the system's estimatedlO-year life interval. For series-parallel systems..... . For parallel systems with n elements that are to function independently. For parallel-series systems. For an individual element. Then determine the system reliability. first determine the reliability for each series branch using the equations in Item 3a. For systems that are composed of the four above arrangements. Subsystem 2 is a backup for subsystem 1. d. A functional diagram of the system is helpful. on the basis of available data. Subsystem 1 has three components and at least one of the three must function successfully for the subsystem to operate. in the following manner: a. (1) Divide a system into its elements. determine the reliability for the simplest branches. (2) Construct a block diagram using the convention illustrated in Table VI-4. Then treat each series branch as an element in a parallel branch and determine the system reliability by using the equations in Item 3b. VI-5 . ~L (low) to ~H (high). the corresponding reliability band [with a range from RSL (low) to RSH (high)] for a system is calculated from the individual element reliability bands. Subsystem 2 has three components that all need to function successfully for the subsystem to operate.. . n RSL = I-II (I-RpL) I = [l-[(l~RIL )(l-RzL ) (1-R3L ) . first determine the reliability for each parallel branch using the equations in Item 3b. from each individual element's reliability band . c./ ~- PROCEDURES The. n n b. EXAMPLE A system has two subsystems designated 1 and 2. treat these as branches within the remaining block diagram. RsL (low) to RSH (high). (l-RnJd]] Note: The reliability band is analogous to a confidence interval for the reliability of an individual element or system. (l-RuLm RSH = I-IT (l-RpH) I n = [1-[(l-RlH )(l-RzH) (1-R3H ) . and determine the reliability for the new simplest branches. Then.

Blocks representing elements in an RBD can be arranged in a manner that represents how these elements function in the system [1].951 = = System: RsL "'" 1-[(1-0.70 0.97 0.951)] Therefore. Figure VI-2.99) = = 0.998 0.60)] RIH = 1-[(1-0.96)(0.84 0. Example reliability block diagram Calculations for subsystem and system reliabilities are presented below: Subsystem 1: RIL = 1-[(1-0.97)(0.976)(1-0. VI-6 .983 (High band value) (Low band value) (High band value) 0.99)(0.98) (0.98)(0.96 0.922)] RsH = 1-[(1-0.922 0.999. ADVANTAGES An RED hasthe following advantages: Allows early assessment of design concepts when design changes can be readily and economically incorporated [2].62)] ~L ~H = = = = 0. Reliability bands for example system Subsystem 1 1 1 2 2 2 .84)(1-0.72)(1-0. Component A B C D E F Reliability Bands Low High 0.80 0.999 (Low band value) (High band value) 0.99 0.98 0.70)(1-0. Also note that the components for subsystem 1 form a series circuit and the components for subsystem 2 form a parallel circuit. Note that the components for subsystem 1 are in a parallel circuit with the components of subsystem 2.Table VI.60 0.62 0.976 (Low band value) Subsystem 2: (0.983)(1-0.2.998 to 0.72 0. Tends to be easier for an analyst to visualize than other logic models such as a fault tree [1].98 0. the reliability band for the system is 0..99 Figure VI~2 presents an RBD for the system.80)(1-0.

seriesparallel. If the element reliability values have different confidence bands. they can be generated before performing a fault tree analysis and transformed into a fault tree by the method discussed in Lesson X. Such a breakdown for a large system can be a significant effort [2]. Not all systems can be modeled with combinations of series. System element reliability estimates might not be readily available for all elements.Since RBDs are easy to visualize. 2]. this can lead to significant problems. LIMITATIONS An RED has the following limitations: Systems must be broken down into elements for which reliability estimates can be obtained. parallel. or parallel-series circuits. However. and not be accepted by others in the decision making process. VI-7 . Some reliability estimates may be very subjective. determining system reliability for such a system is more difficult than for a simple RBD [1. difficult to validate. These complex systems can be modeled with a complex RBD.

T. Lamberson. Koren. SUGGESTED READINGS Pages. Riley. Proceedings from annual reliability and maintainability symposium. VI-8 .REFERENCES 1. SAlC. 2. M [1986]. Gough. A new approach to the analysis of reliability block diagrams. New York: John Wiley & Sons. A. KC. JM: [1990]. Reliability in engineering design. New York: Springer Verlag. System preliminary evaluation and prediction in-engineering. -Kampur. CA. LR [1977]. Godran. Los Altos. WS.

as the case may be) independently of one another? Write an expression for the reliability of a circuit consisting of three resistors (a. Diagram a series-parallel circuit. and c) arranged in series. 5. 3. 6. f. Diagram a parallel-series circuit. VI-9 . b. e. AND EXAMINATION QUESTIONS During what project phase can a reliability block diagram be constructed? Name four circuit types that can be modeled with a reliability block diagram. Write an expression for the reliability of a circuit consisting of four resistors (d. In reliability block diagrams. 7. 4.SAMPLE DISCUSSION 1. 2. are the elements assumed to operate (or not operate. and g) arranged in parallel.

.

advantages. 3.LESSON VII FAULT TREE ANALYSIS PURPOSE: OBJECTIVE: To introduce the student to the procedures and applications of fault tree analysis. 12. . Probability propagation through logic gates 8. and limitations of fault tree analysis 1. Procedures for determining cut sets and cut set probability 6. Structural and quantitative significance of cut sets 11. 14. Exact solution of OR gate failure probabilities 10. 10. 5. 18. Rare event approximation for propagating failure probabilities through OR gates 9. 9. VII-l . Logic of fault tree analysis 2. 7. 19. Application. Procedures for calculating top event probability 5. Procedures for determining path sets 7. Symbology for fault tree analysis 4. 15. Procedures for fault tree analysis 3. AND gate OR gate INHIBIT gate External event Undeveloped event Conditioning event Basic event Top event Contributor Intermediate event Necessary and sufficient conditions Cut set Cut set probability Cut set importance Item importance Path set Delphi technique Boolean-indicated cut sets Minimal cut sets SPECIAL TERMS: 6. 13. 8.· 11. 16. 2. Log-average method of probability estimation 12. To acquaint the student with the following: 1. 17. 4.

VII-2 .

undesirable condition or event..DESCRIPTION A fault tree analysis (FTA) is a top-down symbolic logic model generated in the failure domain. Sensitivity studies can be performed allowing assessment of the sensitivity of the TOP event to basic initiator probabilities. of a system to the failures or faults (fault tree initiators) thai could act as causal agents. therefore R + PF = S/(S+F) + F/(S+F) = 1 and PF= l-R It is important to remember that each analytical technique discussed in this module complements (rather than supplants) the others. where F = number of failures and S = number of successes Since reliability for an event is defmed as the number of successes per number of attempts. if none of them occurs. if they all occur. and determining cut sets and path sets. Fault tree analyses are applicable both to hardware and non-hardware systems and allow probabilistic assessment of system risk as well as prioritization of the effort based upon root cause evaluation. there is no "Swiss army knife" technique that answers all questions and is suitable for all situations. The probability of failure for an event is defmed as the number of failures per number of attempts. cause the TOP event to occur. integration. deployment of resources to mitigate risk of high-risk TOP events can be optimized. FT As are typically performed in the design and development phase. cause the TOP event to occur. called the TOP event. VII-3 .sverdrup. others are bottom-up. but may also be performed in thefabrication. and evaluation phase. propagating failure probabilities to determine the TOP event probability. will guarantee that the TOP event cannot occur. Therefore. Action items resulting from the investigation may be numerically coded to the fault tree elements they address. A minimal cut is a least group of initiators that will. test. This can be expressed as: PF = F/(S+F) . A cut set is any group of initiators that will. if they all occur. The subjective nature of risk assessment is relegated to the lowest level (root causes of effects) in this study rather than at the top level. A path set is a group of fault tree initiators that. This is so because each technique attacks the system to be analyzed differently-some are top-down. This model traces the failure pathways from a predetermined. FTAs can be used to identify cut sets and initiators with relatively high failure probabilities.comlsvt for supporting presentation slides. An FTA is a powerful diagnostic tool for analysis of complex systems and is used as an aid for design improvement. to ensure that an ensemble of countermeasures adequately suppresses the probability of mishaps. Previous identification of the undesirable event also includes a recognition of its severity. This type of analysis is sometimes useful in mishap investigations to determine cause or to rank potential causes.e. An FTA can be carried out either quantitatively or subjectively [1]. and resources prioritized by the perceived highest probability elements. APPLICATION FTAs are particularly useful for high-energy systems (i. The FTA includes generating a fault tree (symbolic logic model). potentially high severity events). then the relationship between the probability of failure and reliability can be expressed as follows: R = S/(S+F). entering failure probabilities for each fault tree initiator. Though it has long been sought. See http://www.

identify qualitative common cause vulnerability. but can progress through the phases until the specific analysis objectives are met. event. intermediate events. These symbols are defined in Table VII-2. Cut sets also enable analyzing structural. Additional details are included in the latter sections of this lesson to provide insight into the mathematics involved in the commercially available fault tree programs. if none of them occurs. and item significance of the tree. (3) AND gate. Fault tree generation Benefits All basic events (initiators). cause the TOP event to occur. (2) inclusive OR gate. Fault tree analysis procedures Procedural Phases 1. Although many event and gate symbols exist. All path sets are determined. quantitative. Table VII-l summarizes the benefitsfor. will guarantee the TOP event cannot occur. for small trees. Table VII-I. if they all occur. A frequent error in fault tree construction is neglecting to identify common causes. Probabilities are identified for each initiator and propagated to intermediate events and the TOP event. All large trees are typically analyzed using these programs. A method for detecting common causes is described in Section 3 (item 8). presented below. most fault trees can be constructed with the following four symbols: (I) TOP or intermediate event. or phenomenon that will simultaneously induce two or more elements of the fault tree to occur. (2) probability determination. The analyst does not have to perform all four phases. All cut sets and minimal cuts sets are determined. 2.-PROCEDURES The procedures for perfonningan FTA are. (3) identifying and assessing cut sets. hand analysis may be practical. Identifying path sets The procedural phases listed in Table VII-l are further described in the following section. A minimal cut set is a least group of initiators that. VII-4 . Analysis of a cut set can help evaluate the probability of the TOP event. and (4) identifying path sets. Fault Tree Generation Fault trees are constructed with various event and gate logic symbols. A common cause is a condition. and the TOP event are identified. Figure VII-I illustrates the procedures to construct a fault tree [1].the four procedural phases. A cut set is any group of initiators that will. and (4) basic event. These procedures are divided into the four phases: (1) fault tree generation. if they all occur. and assess quantitative common cause probability. Probability determination 3 _Identifying and assessing cut sets 4. will cause the TOP event to occur. A path set is a group of fault tree initiators that. A symbolic logic model illustrating fault propagation to the TOP event is produced.

but only one input exists. Fault tree construction symbols Symbol Name Description TOP Event. Mutually Exclusive OR Gate An output occurs if one or more inputs exist.. Any single input is necessary and sufficient to cause the output event to occur. i/~' VII-5 . Exclusive OR Gate An output occurs if one.. These events determine the resolution limit of the analysis. All inputs are necessary and sufficient to cause the output event to occur. However. They are also called leaves or in itiators. D Event (TOP or Intermediate) of< Q ~ ~ ~ Inclusive OR Gate . Refer to Table VIl-3for additional information. Any single input is necessary and sufficient to cause the output event to occur. An output occurs if one or more inputs exist. All inputs are necessary and sufficient to cause the output event to occur. Intermediate Event. Any single input is necessary and sufficient to cause the output event to occur. Priority AND Gate An output occurs if all inputs exist and occur in a predetermined sequence. Mathematically treated as an AND Gate. Refer to Table VII-3 for additional information. 0 External Event An event that under normal conditions occur. undesired event to which failure paths oflower level events lead. Q ~ I AND Gate '" An output occurs if all inputs exist..Table VII-2. 0 Basic Event '" An initiating fault or failure that is not developed further.This event describes a system condition produced by preceding events.This is the conceivable.. Most fault trees can be constructed with these four logic symbols. 0 INHIBIT Gate An output occurs if a single input event occurs in presence of an enabling condition. Refer to Table VII-3 for additional information. is expected to . Probability = I . all other inputs are then precluded.

restraints. Conditioning Event These symbols are used to affix conditions. Inc. resources. Fault tree construction process Probability Determination If a fault tree is to he used as a quantitative tool.o o Symbol Name Description Undeveloped Event An event not further developed because of a lack of need. or information. Identify first-level contributors. VII-6 . This technique is described in [3] and is illustrated in Figure VII-2. Tullahoma. Identify undesirable TOP event. the probability of failure must be determined for each basic event or initiator. industry consensus standards.. A source for human error probabilities is found in [2]. or restrictions to other events. The log average method is useful when the failure probability cannot be estimated but credible upper and lower boundaries can be estimated. historical evidence (of the same or similar systems). MIL standards. © 1997 Figure provided courtesy of Sverdrup Technology. and the log average method. Sources for these failure probabilities may be found from manufacturer's data. Tennessee [1] Figure VII-I. Delphi estimates. Failure probabilities can also be determined from a probabilistic design analysis. Link second-level contributors to TOP by logic gates. simulation or testing. as discussed in Lesson XV. Repeat / continue ... The Delphi technique derives estimates from the consensus of experts. Link contributors to TOP by logic gates. Identify second-level contributors.

the use of this exact solution is seldom warranted. the propagation solution through an OR gate is simplified by the rare event approximation assumption.5 times the lower bound and 0.05 0. Glen J. © 1997 Figure provided courtesy of Sverdrup Technology. including the gates infrequently used. they are propagated through logic gates to the intermediate events and finally the TOP event.0316+ Log Average = Antilog LogPL +LogPu 2 0.5= 0.04 0. Once probabilities are estimated for all basic events or initiators.• am. "Risk Management Guide..055 l. SSDC·.07 I 0. • Average the logarithms of the upper and lower bounds.03 10. Table VII-3 presents the propagation equations for the logic gates.. but upper and lower credible bounds can be judged .. The probability of failure of independent inputs through an AND gate is the intersection of their respective individual probabilities.02 0. Log average method ofprobability estimation Probabilities must be used with caution to avoid the loss of credibility of the analysis. for the example shown. Inc. 0. Propagation offailure probabilities for two independent inputs through an AND and OR (inclusive) gate is conceptually illustrated in Figure VU-4. 0.55 times the upper bound. it is best to stay with comparative probabilities rather than the "absolute" values.• • Estimate upper and lower credible bounds of probability for the phenomenon in question . VII-7 ..1 PL Lower probability bound 10'" L '+ k = Antilog -2- (-2) + (-1) ~ = 10-1. ODE 76-45111. Propagation of confidence and error bands is performed simply by propagation of minimum and maximum values within the tree.1 = 0. Thus.0316228 Pu Upper probability bound 10-1 1 Note that.e. Figure VII-3 illustrates the relationship between reliability and failure probability propagation of two and three inputs through OR (inclusive) and AND gates. Tennessee [1J Figure VII-2.If probability is not estimated easily. confidence or error bands on each cited probability number are required to determine the significance of any quantitatively driven conclusion. explicitly declared. The probability of failure of independent events through an OR (inclusive) gate is the union of their respective individual probabilities. Normalizing data to a standard. the arithmetic average would be•.01 0. Tullahoma.September 1982. 'REFERENCE: Briscoe.. 5. In many cases. Also. Figure VII-5 presents the exact solution for OR gate propagation. it is geometrically midway between the limits of estimation.. As shown in Figure VII-3. meaningless value is a useful technique here. However. • The antilogarithm of the average of the logarithms of the upper and lower bounds is less than the upper bound and greater than the lower bound by the same factor." System Safety Development Center.

Relationship between reliability and failure probability propagation AND Gate ••.(RA + Re . OR Gate . Inc.PA) + (1 . Tennessee [1J Figure Vll-3.RARe IFor 2 Inputsl F AND Gate Both independent elements must fail to produce system = 11 _ failure. Failure probability propagation through OR and AND gates vrr-s .. Inc.PA)(1 .RA + Rs (RARe) PF = 1 .Pa)] PF = PAPS "Rare event approximation" _ IFor 3 Inputs I Omit for approximation © 1997 Figure provided courtesy 0/ Sverdrup Technology. 1 and 2 are INDEPENDENT events © 1997 Figure provided courtesy of Sverdrup Technology. independent.. Tullahoma.RARe) PF = 1 -[(1 . element failures produces syste~ failure.F\ PF = 1 .(1 . _ . Tullahoma. 1R + P RT . Tennessee [1J Figure VII-4..OR Gate Either of two.' RT .Pe) ..

It provides an exact solution for propagating probabilities through the OR gate. = (1 .P3}'" (1 .L p.Pn)] © 1997 Figure provided courtesy of Sverdrup Technology.Po) p. VII-9 . = (1 .P. PT =I1Pe = 1 - (II (1- P)) PT = 1 . Simplified expression for rare event approximation assumption. p.(Pl2) p=p+p# T I Z P2 Pr= PI + Pz .p. = (1 - P. Inc. Tullahoma. p. : I • P. Its use is rarely justifiable..[2 (PIP2)] P =p+p# T I 2 0 P2 P2 Mutually Exclusive OR Gate ~ I Q ~ / I AND Gate t and (Priority AND Gate) •• cu PI P2 PT = PI + Pz PT = Pl2 # t Most fault trees can be constructed with these two logic gates.P1) (1 . Exact solution of OR gate failure probability propagation Table VII-3. Probability propagation expressions for logic gates Symbol Name Inclusive OR Gate Venn Diagram Propagation Expressions t Exclusive OR Gate • PI P1 PI PT= PI + P2 .Pz) (1 . P3 The ip operator (U) is the co-function of pi (rr).): - P.[(1. p.) \ ~. Tennessee {I] Figure VII-5.

if all the the group occur. then the TOP event is vulnerable to the common cause the subscript represents. This indicates that the probability number. (2) Assign a unique letter to each gate and a unique number to each initiator. Next. A minimal cut set is the smallest number (in terms of elements. quantitative. h for human operator. Analysis of a cut set can help evaluate. These procedures for determining cut sets are described in [1] and are based on the MOeUS computer algorithm attributed to J. (4) When all the gates/letters have been replaced. v for vibration..starting from the top of the tree. The remaining rows defme the minimal cut sets of the fault tree. may be significantly in error. eliminate redundant elements within rows and rows that repeat other rows. Determining Cut Sets Assessing Cut Sets (6) A cut set is initiators in that the cut propagation any group of initiators that will produce the TOP event. not probability) of initiators that will produce the TOP event. Cut sets also enable analyzing structural. through visual inspection. if all the initiators in the group occur. and assess common cause probability. The letter for the gate directly beneath the TOP event will be the first entry in the matrix. identify common cause vulnerability.Identifying Cut Sets A cut set is any group of initiators that will produce the TOP event. while others will have none. they no longer represent statistically independent events. i. Cut sets are determined via the following procedure: (1) Consider only the basic events or initiators (discarding intermediate events and the TOP event). Thus. if all the initiators in the group occur. etc. Proceed through the matrix construction by (a) substituting the letters for each AND gate with letters for the gates and numbers of the initiators that input into that gate (arrange these letters and numbers horizontally in the matrix rows) and (b) substituting the letters for each OR gate with letters for the gates and numbers of the initiators that input into that gate (arrange these letters and numbers vertically in the matrix columns). (5) Visually inspect the final matrix and eliminate any row that contains all elements of a lesser row. PK (the probability set will induce the TOP event) is mathematically the same as the through an AND gate.the probability of the TOP event. (3) From the top of the tree downwards. since the same event (the so-called common cause) could act to precipitate each event. Each row of this matrix represents aBooleanindicated cut set. and item significance of the tree. If any are identified.B. Identify minimal cut sets for which all elements have identical subscripts. the cut set probability. Fussell. q for heat.e. expressed as: (7) Determine common cause vulnerability by assigning unique letter subscripts for common causes to each numbered initiator (such as m for moisture. a final matrix is produced with only numbers of initiators. create a matrix using the letters and numbers. calculated as above. One method of determining and analyzing cut sets is presented below.). Note that some initiators may have more than one subscript. VII-tO ..

called a singleton. indicates a potential singlepoint failure. A cut set with a single initiator. A cut set with few elements indicates high vulnerability. if none of them occurs. (10) Assess the quantitative importance. IK• of each cut set. Steps 1-5). significance of the cut sets to provide qualitative ranking of contributions to system failure. (11) Assess the quantitative importance. determine the numerical probability that this cut set induced the TOP event. (9) Assess the structural. Ie' of each initiator. VII-li . if it has occurred. and PT· = the probability of the TOP event occurring. Assuming all other things are equal then: a. Identifying Path Sets A path set is a group of fault tree initiators that. b. Each row of the final matrix defines a path set of the original fault tree. A cut set with many elements indicates low vulnerability. where PK = the probability that the cut set will occur (see Item 6 above). d. and = importance of the minimal cut sets containing initiator e. The procedures to determine path sets are as follows: (1) Exchange all AND gates for OR gates and all the OR gates for AND gates on the fault tree. (2) Construct a matrix in the same manner as for cut sets (see Determining Cut Sets. and inducing all terms within the affected cut set.(8) Analyze the probability of each common cause occurring. assuming it has occurred. That is. Numerous cut sets indicates high vulnerability. That is. e. Path sets can be used to transform a fault tree into a reliability diagram (see Lesson X). c. K. where Ne = number of minimal cut sets containing initiator IKe e. determine the numerical probability that initiator e contributed to the TOP event. ensures the TOP event cannot occur.

VII-12 . both low and high probability values that define a probability band for each initiator could be propagated through the fault tree to determine a probability band for the TOP event. In this example. X 10-4 1120 © 1997 Figure provided courtesy of Sverdrup Technology. However. for brevity. only a nominal probability value for each fault tree initiator is propagated through the fault tree to the TOP event. Faults/Year Assume 260 Operations/Year 4. Tullahoma. KEY: Faults/Operation 8. Example fault tree Cut Sets Figure VII-7 gives an example of how to determine Boolean-Indicated a fault tree. for a thorough analysis. Inc.EXAMPLES Fault Tree Construction and Probability Propagation Figure VII -6 gives an example of a fault tree with probabilities propagated to the TOP event. x 10-3 211 Rate. Tennessee [/ J Figure VII-6." The system being examined consists of alarm clocks used to awaken someone. the TOP event is the "artificial wakeup fails. In this example. X 10-4 1110 2.. minimal cut sets for Path Sets Figure VII-8 gives an example of how to determine path sets for a fault tree.

. represent it by the same number at each appearance. replace it horizontally. A is an AND gate. Inc. reduce to these Minimal Cut Sets. Each requires a new row.") Do not repeat letters. C is an AND gate. Tullahoma. ~ t!:fffj""'OOI&J!%Jt'" D (top row). 1 & C. If a basic initiator appears more than once. 12 223 14 243 Th ese Boolean. starting with the TOP "A" gate . replace it verti· cally. is an OR gate. (TOP gate is "A. is an OR gate.ndicate d Cut Sets . its inputs.. © 1997 Figure provided-courtesy of Sverdrup Technology. replace it vertically. Each requires a new row.. • Construct a matrix. its inputs. . B is an OR gate. 2 & 4. Replace as before.. the initial matrix entry. [I 3 4 D (2nd row).. Tennessee {IJ Figure VII-7. Example of determining cut sets / VII-13 . B & D..PROCEDURE: • Assign letters to gates. replace it horizontally. TOP event gate is A.. • Assign numbers to basic initiators. its inputs. 2 & 3. its inputs.

Single-point and common cause failures can be identified and assessed. if they cannot occur. 12 13 1-:_1. LIMITATIONS An FTA has the following limitations [1]: Address only one undesirable condition or event that must be foreseen by the analyst.Path Sets are least groups of initiators which.. 3 T4 15 T6 234 1 "Barring' terms (ff) denotes consderation of their ~ properties.. thereby guiding deployment of resources for improved control of risk. these Minimal Cut Sets . and these Path Sets. This tool can be used to reconfigure a system to reduce vulnerability. Tennessee [iJ Figure VII-8.. VII-14 ... Tullahoma.. several or many fault tree analyses may be needed for a particular system. Thus..-+-_4. © 1997 Figure provided courtesy of Sverdrup Technology.-+-----l_-I 3456 . guarantee against TOP occurring. Example of determining path sets ADVANTAGES An FTA has the following advantages [1]: Enable assessment of probabilities of combined faults/failures within a complex system. Fault trees used for probabilistic assessment of large systems may not fit or run on conventional PC-based software. • Path sets can be used in trade studies to compare reduced failure probabilities with cost increases to implement countermeasures... System vulnerability and low-payoff countermeasures are identified. Tree has ... Inc.

VII-1S . Caution must be taken not to "overwork" determining probabilities or evaluating the system. Events or conditions under the same logic gate must be independent of each other. A fault tree is flawed if common causes have not been identified. The failure rate of each initiator must be constant and predictable.The generation of an accurate probabilistic assessment may require significant time and resources. Specificmoncomparative) estimates of failure probabilities are typically difficult to find. limit the size of the tree. Comparative analyses are typically as valuable with better receptions from the program and design teams. and to successfully use to drive conclusions. Events or conditions at any level of the tree must be independent and immediate contributors to the next level event or condition. to achieve agreement on. i. • A fault tree is not accurate unless all significant contributors of faults or failures are anticipated.e.

ID: EG&G Idaho. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. H [1991]. New York: John Wiley and Sons. New York: John Wiley and Sons. Dillon. PA: Society for Industrial and Applied Mathematics. Riley. Haasl. Tullahoma. System safety engineering and management. Fault tree graphics . Reliability and fault tree analysis guide. Government Printing Office. PA [1982]. W. Washington. Government Printing Office. R. (see http://www. Idaho Falls. GR [1977]. W [1972].application to system safety. JM [1990]. Henley. 3. Goldberg. Inc. L [1975]. PL [1993]. Proceedings of the second international system safety conference. Engineering reliability . Malasky. Risk Management Guide.S. Fussell. NM: New Mexico Chapter of the System Safety Society. Roland. Guttman. Talso. Stephans. FF[1980]. Koren.[1997]. Inc. SSDC-Il.WS. RA. Roberts. 45/11. VII-16 . CA. DOE 7645/22. System safety analysis handbook. Los Altos. Singh. Briscoe.sverdrup. Fault tree analysis (lecture presentation). Kumamoto. NH. 4th ed . HE. Washington. 2nd ed. Potterfield.REFERENCES 1. J. Burdick. Philadelphia. Fault tree handbook. AD. Clemens. Moriarty. DC: U. New York: Garland Press. WW. WE. A new approach to the analysis of reliability block diagrams. eds. GJ [1982]. lB. NJ: Prentice Hall. Handbook of system and product safety. DC: Department of Energy No. Vesely. DF. HE [1980]. NUREG-0492. NUREG/CR-1278. DC: U. Wynholds. B [1990]. Swain. Bass. SW [1983] System safety: technology and application. 2nd ed. SUGGESTED READINGS DOE 76- Crosetti. Probabilistic risk assessment. Hammer. C [1981].S. Nuclear systems reliability engineering and risk assessment.comlsvt for a set of presentation slides). Washington. 1N: Sverdrup Technology. Gough. Proceedings from annual reliability and maintainability symposium. Albuquerque. New York: The Institute of Electrical and Electronic Engineers.new techniques and applications. BS. SAle. Englewood Cliffs.. Inc. EJ. 2.

and why is it used in fault tree analysis? What role does Boolean algebra play in fault tree analysis? Why does the fault tree analyst determine and evaluate cut sets for a fault tree? What is meant by cut set importance (or how is it used)? What is meant by item importance (or how is it used)? What is the difference between a primary and a secondary component failure? Which symbols are traditionally used to depict primary and secondary component failures when constructing a fault tree? What is a primary advantage of fault tree analysis over failure modes and effects analysis? How can fault tree analysis be used to detect vulnerability to common cause failure? What is the purpose of assessing cut sets? What is the purpose of assessing path sets? Lecture slides for workshop problems entitled. Why do system safety analysts refer to fault tree analysis as a top-down or deductive technique? What is the first requirement for constructing a fault tree (where do you start)? What is the rare-event approximation. 8.a Flawed Fault Tree.comlsvt. 3.SAMPLE DISCUSSION AND EXAMINATION 1. 10. 7. 13." "Test Cell Entry.sverdrup." and "Competing Redundant Valve Systems" are available at http://www. QUESTIONS 5. "Furry Slurry Processing. 4. VII-17 . 12. 6. 11. 9. 2." "Dual Hydraulic Brake System ." "The Stage to Placer Gulch." "Auxiliary Feed Water System." "Rocket Motor Firing Circuit.

Sign up to vote on this title
UsefulNot useful